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Abstract. We present an illative system Is of classical higher-order 
logic with subtyping and induction for natural numbers. The system Xs 
allows for a very natural and convenient way of handling partial and 
general recursive functions. We give examples of how properties of some 
partial functions may be established in our system, and discuss possible 
advantages over other formalisms used in common proof assistants. In a 
technical appendix to the paper we prove consistency of - a slightly 
weakened variant of Ts. The proof is by model construction. We then use 
this construction to show conservativity of over classical first-order 
logic. 



1 Introduction 

We present an illative A-calculus system Is of classical higher-order logic with 
subtyping and induction for natural numbers. Being illative means that the sys- 
tem is a combination of higher-order logic with the untyped A-calculus. It there- 
fore allows for unrestricted recursive definitions in a convenient way, including 
definitions of possibly non-terminating partial functions. We believe that this fea- 
ture of Xa makes it particularly interesting as a logic for an interactive theorem 
prover intended to be used for program verification. 

Most popular proof assistants allow only total functions, and totality must 
be ensured by the user, either by very precise specifications of function do- 
mains, restricting recursion in a way that guarantees termination, explicit well- 
foundedness proofs, or other means. This is not convenient from a programmer's 
perspective. One might argue that a prover-based program verification system 
should incorporate a general model of a programming language allowing all con- 
structs commonly occuring in programming languages, including potentially non- 
terminating recursion. 

Obviously, there is a reason why most proof assistants do not handle partial 
functions directly. This is to ensure consistency of the system. Combining an 
expressive higher-order logic with unrestricted recursion is a non-trivial problem. 

There are various indirect, and often inconvenient, ways of dealing with gen- 
eral recursion in popular theorem provers based on total logics. There are also 
many non-standard logics allowing partial functions directly. We discuss some 
related work in Sect. [21 



2. RELATED WORK 



We propose a novel approach inspired by illative combinatory logic [T], [5], 
[3], [1]. In Sect. Owe introduce an illative-like system Xg, which is a higher-order 
logic with predicate subtyping, like in e.g. PVS [5], but based on the untyped 
A-calculus. 

One of the advantages of I, is that it is similar to traditional systems of 
higher-order logic. Most of the time it may be used like an ordinary logic, without 
worrying about the issues of dcfincdncss. The only non-standard restriction is 
that in implication introduction the antecedent, and the terms used in the rules 
of negation introduction or elimination, must be proven to have type Prop, i.e. to 
be propositions. Also explicit proofs that a term has a certain type may be needed 
with universal quantifier elimination or existential quantifier introduction, since 
type-checking is undecidable. In practice, however, we believe that in most cases 
these type-checks may be easily automated. 

An advantage of the system Ig over approaches based on total logics is that 
it requires much less effort in handling partial functions. Arbitrary recursive 
definitions are allowed without the need for proving termination. Only sometimes 
during subsequent proofs explicit typing arguments are required, but they are 
usually not very complicated. We believe the system is also very natural and 
intuitive. 

In Sect. [5] we discuss possible applications of our approach to the problem 
of dealing with partiality, non-termination and general recursion in higher-order 
logic. We provide examples of proofs in of properties of some partial functions. 

Because Is is based on untyped A-calculus, its consistency is obviously open 
to doubt. In an appendix we give a proof by model construction of consistency 
of a slightly weakened version of Ig- Unfortunately, the proof is too long to fit 
within the page limits of a conference paper. The model construction is similar 
to the one from 3 for the traditional illative system I^. It is extended and 
adapted in a non-trivial way to account for additional features of . 

2 Related Work 

In this section we briefly survey some approaches to dealing with partiality and 
general recursion in proof assistants. We are mainly interested in partiality aris- 
ing from non-termination of non- well- founded recursive definitions. A good gen- 
eral overview of the relevant literature may be found in [5] . 

Perhaps the most common way of dealing with recursion in interactive theo- 
rem provers is to impose certain syntactic restrictions on the form of recursive 
definitions so as to guarantee well-foundedness. For instance, the fix construct 
in Coq allows for structurally recursive definitions whose well-foundedness must 
be checked by a built-in automatic syntactic termination checker. Some systems, 
e.g. ACL2 or PVS, pass the task of proving termination to the user. Such systems 
require that a well-founded relation or a measure be given with each recursive 
function definition. Then the system generates so called proof obligations, or 
termination conditions, which state that the recursive calls are made on smaller 
arguments. The user must solve, i.e. prove, these obligations. 
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The method of restricting possible forms of recursive definitions obviously 
works only for total functions. If a function does not in fact terminate on some 
elements of its specified domain, then it cannot be introduced by a well-founded 
definition. One solution is to use a rich type system, e.g. dependent types com- 
bined with predicate subtyping, to precisely specify function domains so as to 
rule out the arguments on which the function does not terminate. This approach 
is adopted by PVS [5]. A related method of introducing general recursive func- 
tions in constructive type theory is to first define a special inductive accessibil- 
ity predicate which precisely characterises the domain 'T . The function is then 
defined by structural recursion on the proof that the argument satisfies the ac- 
cessibility predicate. A similar method which uses inductively defined domain 
predicates, but not recursion on proofs, is possible in the classical setting of 
Isabelle/HOL fSj. 

Since the methods of defining partial and general recursive functions in proof 
assistants based on total logics often require significant effort, various tools have 
been developed to automate this task. Some of the most widely used tools are: 
the Function command of Coq [10]; Coq's Program package [TT]; and the 
function package of Isabelle/HOL [T^], [5]. 

A different approach to dealing with partiality and general recursion is to 
use a special logic which allows partial functions directly. Systems adopting this 
approach are often based on variants of the logic of partial terms of Beeson 
[13], [14]. For instance, the IMPS interactive theorem prover |15] uses Farmer's 
logic PF of partial functions [16], which is essentially a variant of the logic of 
partial terms adapted to higher-order logic. In these logics there is an additional 
definedness predicate which enables direct reasoning about definedness of terms. 

The above gives only a very brief overview. There are many approaches to 
the problem of partiality and general recursion in interactive theorem provers, 
most of which we didn't mention. However, as remarked in [6], each of them 
has its own issues. In particular, methods of introducing partial functions into 
provers based on total logics often require significant effort on the part of the 
user, or complex automated tools, or fail to work in certain cases. In systems 
based on the logic of partial terms, on the other hand, the interaction of non- 
denoting terms with logical connectives and quantification often results in some 
unfamiliar consequences. 

Our approach is perhaps closest to the logic of partial terms. The difference 
is that our system is more similar to traditional systems of higher-order logic. 
Most of the time it may be used like an ordinary logic, and we believe that the 
occasionally required extra typing arguments are usually simple enough to be 
easily automatable. 

3 The Illative System 

In this section we present the system Xg of illative classical higher-order logic 
with subtyping and derive some of its basic properties. 

Definition 3.1. The system Ig consists of the following. 
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— A countably infinite set of variables V — {x,?/, z,...} and a set of con- 
stants Us- 

— The set of sorts S = {Type, Prop, Nat}. 

— The set of terms T is defined by the following grammar. 



We assume application associates to the left and omit spurious brackets. 

— We identify a-equivalent terms, i.e. terms differing only in the names of 
bound variables are considered identical. We use the symbol = for identity 
of terms up to a-equivalence. We also assume without loss of generality that 
all bound variables in a term are distinct from the free variables, unless 
indicated otherwise 

— In what follows we use the abbreviations: 

ti : t2 = Is ti t2 
{x : a \ (fi} = Subtype aXx .(p 
a P = Fun a j3 
\/x : a . (fi = y a Xx . (fi 
Vxi , . . . , Xn : a.(p = yxi : a . ... \/xn : a.(p 



if D ijj =\/x : {y : Prop \ ip} .ip where x,y ^ FV{ip, ip) 

^ = Vp : Prop . p 

T EE _L D _L 
ip V tp = Wtpip 
if ATp = ^{->ip V ^"0) 
3x : a . ip = -Nx : a . -^Lp 



We assume that ^ has the highest precedence. 
— The system Xg is given by the following rules and axioms, where _r is a finite 
set of terms, Lp, ip are terms. The notation F, ip is a shorthand for F U {(p}. 
We use Greek letters (p, ip, etc. to highlight that a term is to be intuitively 
interpreted as a proposition, and we use a, /?, etc. when it is to be interpreted 
as a type, but there is no a priori syntactic distinction. 



So e.g. in the axiom /3 the free variables of t2 do not become bound in ti[x/t2]. 



T ::=¥ \ IJs\S \ XV .r \ (TT) | Is | Subtype | Fun | 
V I V I - I e I Eq I Cond | | s | p | 



Axioms 



1 

3: 
5: 
7: 
9: 



F,pi\-ip 

ri- Nat : Type 



2: r h Prop : Type 

4: F\-Eqtt 

6: rhoO 

8: F^Eq{p{st))t 

/3: FhEq{{Xx.ti)t2){ti[x/h]) 



r h : Nat 
F h -(o(st)) 
FhEq (pO)0 
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Rules 

r\- a: Type r,x:a\-^ x ^ FV{r, a) 



r \- Vx : a . (fi 
r\-\/x:a.ip r\-t:a 



3. : 



r h ip[x/t] 

r\-a: Type r,x -.al-ip: Prop x ^ FV{r, a) 
r h {\/x : a.ip) : Prop 

^ r\-a: Type T h t : a T h ^^faj/t] 
' r \-3x : a.ip 

r h d.r : n . ^- T. .r : n , ^- h (, ■ .r ^ FV'(r. (, a) 



ri-(^V'^ ri-(/9V'^ 

-T h V (/52 r,(pi\- ip r,(p2\- tp 
r\-ip 

r\- (fi: Prop r\-tfj: Prop 



V* : 



rh (9? V V) : Prop 



r\- ipAip r\- (pAtp 

Ael : Ae2 : 

r, 9? I- ± r I- : Prop r, -.(^ I- ± r\-(p: Prop 



-Li : 



r' h : Prop r' I — \ip : Prop 

^" ■ r h -.y. : Prop ■ r h : Prop 

r h a : Type T, a; : a h t : ^ x^ FV{r, a, (3) 
rh (Aa;.t) :a-^^ 
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r\-a: Type F \- /3 : Type 
r^ia^p): Type 

r h {a; : a I </?} : Type F \- t : a r\- {Xx.<p)t x ^ FV{a) 

r\-t:{x:a\(p} 

r \- t : {x : a \ ip} F \- t : {x : a \ ip} 

'' r h <p[x/t] ' rht-.a 

r \- a : Type -T, x : a h (/? : Prop x ^ -FV^ (a) 
-T h {a; : a I (/?} : Type 

r\-3x:a.T T \- a : Type T h 9? 



r h (ea) : Q T h V5 : Prop 



r \- (p r \ — lip 

ci ■ ^. ^ ,^ -, — , , X , C2 : 



C4 : 



r \- Eq(Cond<pfit2)ii h Eq(Conci(/3ti t2 )i2 

r,^hEqiiti rhy^tProp 
■ r h Eq (Cond iptit2) (Cond t[ t2 ) 

r, -.97 h Eqt2 4 rh : Prop 
rh Eq (Cond iphh) (Cond </? ii 4 ) 

r h : Prop 
■ ri-Eq (Condf^tO* 

r h to r,x: Nat, ta; h f(5a;) x ^ i^V(r, t) 
r h Vx : Nat . tx 

r h t : Nat 



m : 



n2 : 



n3 



r h (st) : Nat 

r h to : Prop r. X : Nat, tx h t(sx) : Prop x ^ FV{r, t) 
r h (Vx : Nat . tx) : Prop 

r\-ip r\-Eqip<p' 

eq: p^-^ 

1 I- (p 

r\-a: Type T h ti : a F \- t2 : a 
■ r h (Eqti t2 ) : Prop 
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r\-Eqti t2 

eq-sym : 



eq-trans : 



eq-cong-app : 



eq-A-^ : 



r\-Eqt2ti 

r\-Eqtit2 r\-Eqt2t3 
r\-Eqti is 

r\-Eqtit[ r\-Eqt2t'2 
rhEq(iii2)(i'i4) 

r h Eqtt' 
rhEq(Ax.t) (Xx.t') 



The system is the system Is without the rule eq^ . 

For an arbitrary set of terms F, we write hx if there exists a finite subset 
r' C r such that r' \- ip is derivable in the system I, where X = Is or I = 1^. 
We drop the subscript when irrelevant or obvious from the context. 

As the following lemma shows, weakening is admissible in the system Ig. 

Lemma 3.2. If F \- (p then F,ip \- (p. 

Because of weakening, the rule ns subsumes a weaker rule without tx in the 
assumptions. This weaker rule is what usually suffices in practical situations, 
but ns is also correct and allows to type more terms. 

We have the following substitution property. 

Lemma 3.3. If F \- <p then F[x/t] h ip[x/t\, where F[x/t\ = {ip[x/t] | V e T}. 

It is well-known that since untyped A-terms are available together with the 

axiom /3 and usual rules for equality, any set of equations of the following form 
has a solution for zi, . . . , 0„, where the expressions <Pi{zi, . . . ,Zn,Xi, . . . , Xm) are 
arbitrary terms with the free variables listed. 

ZiXi . . . = . . . , Z„, Xi, . . . , Xm) 



Zji X\ . . . Xyyi ( ^1 : • • • 7 , 1 , ■ • • , -^m ) 



In other words, for any such set of equations, there exist terms ti, . . . ,tn such that 
for any terms Si, . . . , we have h Eq (ijSi . . . Sm) (^i{ti, . . . , t„, Si, . . . , 
for each i ~ 1, . . . ,n. 

We will often define terms by such equations. In what follows we freely use 
the notation ti = t2 for h Eqt\t2 , or for F h Eqt\t2 when it is clear which 
context 7^ is meant. We use ti = t2 = ■ ■ ■ = tn to indicate that Eqt^ ti^i may be 
derived for i = 1, . . . , n — 1. We also sometimes write a term of the form Eqti t2 
as t\ = t2- 
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The rule eq essentially stipulates that terms which are provably equal are 
always interchangable. The presence of this rule together with unrestricted re- 
cursion is precisely what makes consistency proofs difficult. 

Theorem 3.4. The systemic is consistent, i.e. \/x> -L. 

Consistency of is ensured by typing rules, but in contrast to conventional 
systems, untyped terms may still be applied to arguments, simplified and rea- 
soned about. 

Unfortunately, we were not able to prove consistency of the full system I, 
with the rule eq^. However, dropping this rule does not weaken the system much. 
In practical terms, it only necessitates defining seperate equality predicates for 
every type, and relating them to the general equality Eq. This is sligthly incon- 
venient, so we chose to use Is in the main part of the paper. 

We also have the following result, which shows that 1^ is conservative over 
classical first-order logic. 

Theorem 3.5. There exists a translation [— ] from the language of classical 
first- order logic (FOL) to terms ofl'g, and a function r{—) from sets of first- 
order formulas to sets of terms of I[. providing necessary context, such that 

AhFo^ iff riA,ip),\A-\ hi, M 

where hpo denotes derivability in FOL, the notation A,ip is a shorthand for 
A U {(p}, and \A~\ stands for the image of A under [— ] . 

The proofs of Theorem 13.41 and Theorem 13.51 are rather long. They may be 
found in technical appendices to this paper. 

3.1 Representing logic 

The following rules for implication D may be derived in I, (and I'^). 

F \- if : Prop F,ip\-'>p F,ip \- ijj F \- Lp 

r h D V r^i} 

F \- Lp : Prop F,Lp \- ijj : Prop 
*' r h D V) : Prop 



For lack of space we delegate the derivations to a technical appendix. 

We could also define (p ^ as -^Lp V ip and derive the same rules for it using 
the law of excluded middle, but the derivations for D defined in terms of Subtype 
are also valid in intuitionistic logic. 

The following introduction rule for A may also be derived in Xj, recalling 
that (/J A ^ = V and using pi, -^t2, Ve, weakening and -i^. 
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Ai : 

Note that in general the ehmination rules for A and the rules for 3 cannot be 
derived from the rules for V and V in a similar way, because we would not be able 
to prove the premise ip : Prop when trying to apply the rule -i^ . It is instructive 
to try to derive these rules and see where the proof breaks down. The intuitive 
reason is that 3 and V are "lazy" , e.g. ipW ip is derivable when (p is derivable, 
even if ip does not have type Prop. 

In Ig the only non-standard restrictions in the usual inference rules for logical 
connectives are the additional premises F \- ip : Prop in rules Di, -'i and -ig- The 
first two of them are certainly unavoidable, as otherwise the Curry's paradox may 
be derived (see e.g. [T], [5]). However, we have standard classical higher-order 
logic if we restrict to terms of type Prop. 

Note that the law of excluded middle can be derived only in the following 
form. 

F \- p : Prop 

F \- pV -lip 

Adding F \- p\/ -ip as an axiom for arbitrary p gives an inconsistent system^ 
It is well-known that in higher-order logic all logical connectives may be 
defined from V and Z> as follows. 



= p ^ L 

(p A i/j = \fp : Prop . (p) D ^p D p) D p 
ip W i/j = \fp : Prop . {p D p) D {ip ^ p) ^ P 
3x : a . py = \/p : Prop . (Vx : a . pi D p) Dp 

One may therefore wonder why we take V and -> as primitive. The answer is that 
if we defined the connectives by the above equations, then the inference rules 
that could be derived for them would need to contain additional restrictions. For 
instance, we would be able to derive only the following variants of V-introduction. 

, F\- p F\-ip : Prop , F h ip F h p : Prop 
"^'^ ■ Fh pVip ■ Fhp\/iP 



3.2 Natural numbers 

The system Is includes natural numbers (type Nat) with s as successor, p as pre- 
decessor, as zero, and o as test for zero. We also have an induction principle for 
natural numbers (rules ni, na). An important property of this induction princi- 
ple is that it places no restrictions on t. This allows us to prove by induction on 
natural numbers properties of terms about which nothing is known beforehand. 

^ By defining p> — -<p one could then easily derive _L using the rule Ve applied to (pV—^ip. 
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In particular, wc do not need to know whether t has a /3- normal form in order 
to apply rule ni to it. In contrast, an induction principle of the form e.g. 

n'l : V/ : Nat ^ Prop . ((/O A (Vx : Nat . fx D f{sx))) D \fx : Nat . fx) 

would be much less useful, because to apply it to a term t we would have to 
prove t : Nat — )■ Prop beforehand. Examples of the use of the induction principle 
of Is for reasoning about possibly nonterminating general recursive programs 
are given in Sect. |4l 

In all derivations in this section we omit certain steps and rule assumptions, 
simplify inferences, and generally only give sketches of completely formal proofs, 
omitting the parts which may be easily reconstructed by the reader. 

Lemma 3.6. hj, Vx : Nat . {{ox) V 3y : Nat . x = {sy)). 

Proof. Recall that x ^ sy stands for Eqx {sy) . Let (p{x) = {ox) V 3y : Nat . x = 
sy. We have the following derivation. 

X : Nat, 1^9(2;) \- sx — sx x : Nat, 1^9(2;) h {sx) : Nat 
h oO X : Nat, ip{x) h 3y : Nat .sx = sy 

h ip{0) x : Nat, ip{x) h ip{sx) 

h Va: : Nat. ((ox) V 3y : Nat.x = sy) ^"^ 

Lemma 3.7. hj, \/x : Nat . {ox) D (x = 0). 

Proof Let ip{x) = (ox) D {x — 0). 

h oO 

h (oO) : Prop oO h = 

(«) 

X : Nat, ip{x) I — ^(o(sx)) 

X : Nat, ip{x) I ^(o(sx)) : Prop x : Nat, ip{x), o{sx) h ± 

X : Nat, (p{x) h o(sx) : Prop x : Nat, (p{x), o{sx) h sx = 

X : Nat, ip{x) h ip{sx) {b) 

(«) jb) 
h Vx : Nat . (ox) D (x = 0) 

We may define a recursor R for natural numbers in the following way: 

R = Xghxy . Cond {oy) {gx) {h x {py) {Rghx {py))) . 

For arbitrary terms (7, /i, ti, ^2 we have: 

Rghti0^g{ti), 
Rghti {st2) — htit2 {Rghtit2). 
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Note that we need the predecessor as a primitive, because otherwise a recursor 
would not be definable. 

Now +, — , • and <, usually used in infix notation, are defined as follows. 

X + y = R{Xx . x) {Xxyz . sz) 
X — y = R{Xx . x){Xxyz . pz) 

X ■ y ~ R(Xx . 0){Xxyz . x + z) 
X <y^o{x~y) 

Lemma 3.8. The following terms are derivable in the system Ig: 

1. Wx,y : Nat. (x + y) : Nat, 

2. Wx,y : Nat . (x - y) : Nat, 

3. Wx,y : Nat . (x • y) : Nat, 

4- Vx, y : Nat ■ {x < y) : Prop, 
5. Vx, y : Nat . (x ~ y) : Prop, 

Proof. We give a sample proof for the first term. 

X : Nat h {x + 0) = ((Ax . x)x) 

x : Nat \- (x + O) = X x : Nat h x : Nat 

a; : Nat h (x + 0) : Nat (a) 

X : Nat, y : Nat, {x + y) : Nat h (x + y) : Nat 
X : Nat, y : Nat, {x + y) : Nat h (s(x + y)) : Nat (b) 

X : Nat, y : Nat, (x + y) : Nat h x + (sy) = s(x + y) (6) 

X : Nat, y : Nat, {x + y) : Nat h (x + (sy)) : Nat (c) 

(«) (c) 

X : Nat h yy : Nat . (x + y) : Nat h Nat : Type 
I- Vx, J/ : Nat . {x + y) : Nat 

The second and third terms are derived in a similar way. The fourth term is 
derived from the second using Lemma 13.61 The last fifth term is derived using 
rule eq^. 

Lemma 3.9. hx^ Vx, y : Nat . (sx ~ sy ^ x — y) 

Proof. We assume x : Nat and show Vy : Nat . (sx — sy = x ~ y) by induction 
on y. For y = we have sx — sO = p(sx — 0) = V{sx) — x — x ~ 0, and under 
the assumptions x : Nat, y : Nat, (sx — sy) — x — y we may derive sx — s{sy) = 
p(sx — sy) — p(x — y) = X — sy. By rule ni we obtain the thesis. 

Lemma 3.10. hj^ Vx, y : Nat . (x > y) A (x < y) D (x = y). 
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Proof. Let (p{x) = Vy : Nat. [x > y) A [x < y) D {x = y). We proceed by 
induction on x. 

In the base step we need to show <p{0). We assume y : Nat and (0 > y) A (0 < 
y). From ?; < we have o{y — 0), i.e. oy, and thus y = by Lemma 13.71 Using 
part 4 of Lemma [3.81 it is easy to show ((0 > y) A (0 < y)) : Prop. Hence, we 
may use imphcation introduction and then universal quantifier introduction to 
obtain (/5(0). 

In the inductive step we need to prove Lp{sx) under the assumptions x : Nat 
and f{x). We assume further y : Nat and (sx > y) A {sx < y). By Lemma [3.61 
there are two possibihties: y = or 3z : Nat . y = 5z. If y = then we easily 
obtain sx — 0, which leads to a contradiction, from which we may derive x ^ y. 
If y — sz then we have sx — 5z = and sz — sx = 0. By Lemma 13.91 we 
obtain a; — z = and z — x = 0. From the inductive hypothesis we have x = z. 
Thus sx ^ sz = y. Since x : Nat and y : Nat, it is not difhcult to show that 
((sx > y) A (sx < y)) : Prop. We may therefore use implication introduction and 
then universal quantifier introduction to obtain ip(sx). 

It is possible to derive Peano axioms for + and • defined as above. 

Lemma 3.11. The following terms are derivable in the system 1^: 

— Vx, y : Nat . (sx — sy) D (x ^ y), 

- Vx : Nat.-.(sx = 0), 

- Vx : Nat . (x + x), 

— Vx, y : Nat . (x + sy = s(x + y)); 

- Vx:Nat.(x-0 = 0), 

— Vx, y : Nat . (x • (sy) = (x ■ y) + x). 

Proof. All proofs are easy. As an example we give an indication of how the first 
term may be derived. We assume x : Nat, y : Nat and sx — sy. From sx = sy, by 
applying rules for equality and axiom 8, we obtain x = p(sx) = p(sy) = y. Using 
rules eq^ and n2 it is easy to show that (sx = sy) : Prop. Therefore, we may 
use implication introduction, and then universal quantifier introduction twice, 
to show Vx, y : Nat . (sx = sy) D (x ~ y). 

Similarly, we may prove the usual properties of other operations on natural 
numbers. 

From the construction presented in an appendix to this paper it is evident 
that other simple inductive types like lists or trees could be incorporated into the 
system Is in a way analogous to natural numbers. In particular, their associated 
induction principles would be general schemas not placing any restrictions on 
terms to which the induction schema is applied. It is an interesting question 
how to best incorporate into our system a broad class of inductive types, e.g. all 
strictly positive inductive types. We do not attempt to answer this question in 
the present paper. 
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4 Partiality and general recursion 

In this section we give some examples of proofs in of properties of partial 
functions defined by recursion. We believe that one of the main advantages of 
is that most of the time we may use inference rules like in an ordinary logic, 
without worrying about issues of definedness. Only with implication introduction 
we need to prove that the antecedent is a proposition, and the terms used in the 
rules of negation introduction or elimination must be shown to be propositions. 
We hope the following examples will be convincing of the naturality of illative 
logic for proving properties of programs defined by general recursion. 

Example ^.1. Consider a term subp satisfying the following recursive equation: 

subp = \ij . Cond (i = j) ((subp i (j + 1)) + 1) . 

If i > j then subpi j = i — j.lii<j then subpzj does not terminate. An 
appropriate specification for subp is : Nat . {i > j) D (subpx = i — j). We 
indicate how a proof that subp satisfies this formula may be derived in our logic, 
assuming certain basic properties of operations on natural numbers. To avoid 
boring formalities, we give only an informal rough indication of how a formal 
proof may be obtained, but an inquisitive reader should not experience much 
difficulty in transforming the argument below into a derivation in the system X, . 
This is only a matter of filling in the details. 

Let (p{y) — V« : Nat . Vj : Nat . {i>jDy = i— jD subp ij = i — j)- We 
show by induction on y that Vy : Nat . f{y). 

First note that under the assumptions y : Nat, i : Nat, j : Nat it follows from 
Lemma 13.81 that {i > j) : Prop and [y = i — j) : Prop. Hence, whenever y : Nat, 
to show i>jZ)y — i — jZ) subp i j = i — j it sufhccs to derive subp i j = i — j 
under the assumptions i > j and y = i — j. 

In the base step it thus suffices to show subp i j — i~j under the assumptions 
i : Nat, j : Nat, i > j, i — j = 0. From i — j = we obtain o{i — j), so j > i. From 
i > j and i < j we derive i = j hy Lemma 13.101 Then subp i j — i — j follows 
by simple computation (i.e. by applying rules for Eq and appropriate rules for 
the conditional). 

In the inductive step we have ip{y) for y : Nat and we need to obtain 
ip{s{y)). It suffices to show suhpij = i — j under the assumptions i : Nat, 
j : Nat and s{y) ~ i ~ j- Because s{y) / we have i ^ j, hence subpi j — 
s(subpzs(j)) follows by computation. Using the inductive hypothesis we now 
conclude subpis(j) = i — s{j). Then it follows by properties of operations on 
natural numbers that s(subpi s{j)) — i — j. Hence the thesis. 

We have thus completed an inductive proof of Vy : Nat . ip{y)- Now we use 
this formula to derive subp? j = i — j under the assumptions i : Nat, j : Nat, 
i > j. Then it remains to apply implication introduction and V-introduction 
twice. 

In the logic of PVS [5] one may define subp by specifying its domain precisely 
using predicate subtypes and dependent types, somewhat similarly to what is 
done here. However, an important distinction is that we do not require a domain 
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specification to be a part of tlie definition. In an interactive theorem prover based 
on our formalism no proof obligations would need to be generated to establish 
termination of subp on its domain. 

Note that because domain specification is not part of the definition of subp, 
we may easily derive ip = : Nat . ((subpi j = « — j) V (subpj i = j — «)). 

This is not possible in PVS because the formula (p translated to PVS generates 
false proof obligations [5]. 

Example J^.Z. The next example is a well-known "challenge" posed by McCarthy: 

/(n) ^ Cond (n > 100) (n - 10) {f{f{n + 11))) 

For n < 101 we have f{n) — 91, which fact may be proven by induction on 101— n. 
This function is interesting because of its use of nested recursion. Termination 
behavior of a nested recursive function may depend on its functional behavior, 
which makes reasoning about termination and function value interdependent. 
This creates problems for systems with definitional restrictions of possible forms 
of recursion. Below we give an indication of how a formal proof of Vn : Nat . n < 
101 D f(n) — 91 may be derived in Ig. Again, we implicitly assume certain 
properties of operations on natural numbers, as in the previous example. 

Let (p{y) = Wn : Nat . n < 101 D 101 - n < y D f{n) = 91. We prove 
Vy : Nat . ^p{y) by induction on y. 

In the base step we need to prove f{n) =91 under the assumptions n : Nat, 
n < 101 and 101 — n < y = 0. We have n = 101 and the thesis follows by simple 
computation. 

In the inductive step we distinguish three cases: 

1. n+ 11 > 101 and n < 101, 

2. n + 11 > 101 and n > 101, 

3. n + 11 < 101. 

We need to prove f{n) =91 under the assumptions of the inductive hypothesis y : 
Nat, Vm : Nat . m < 101 D 101 - m < y D /(m) = 91, and of n : Nat, n < 101 
and 101 — n < s{y). 

In the first case we have f{n + 11) = n + 1 and n + 1 < 101. Hence by the 
inductive hypothesis we conclude 100 — n < y D f{n + 1) = 91. From 101 — n < 
s{y) we infer 100 — n < y, and hence f{n + 1). Since n < 100 it follows by 
computation that /(n) = /(/(n + 11)) = /(n + 1) = 91. 

In the second case n = 101 and the thesis follows by simple computation. 

In the third case, from 101— n < s{y) we infer 101— (n+ll) < y. Since n+11 < 
101 we conclude by the inductive hypothesis that f{n + 11) = 91. Because n + 
11 < 101, so n < 100, and by definition we infer f{n) = f{f{n + 11)) = /(91). 
Now we simply compute /(91) = /(/(102)) = /(92) = /(/(103)) = . . . = 
/(lOO) = /(/(111)) = /(lOl) = 91 (i.e. we apply rules for Eq and rules for the 
conditional an appropriate number of times). 

This concludes the inductive proof of Vy : Nat . Vn : Nat .n < 101 D 101 — n < 
y D f{n) = 91. Having this it is not difficult to show Vn : Nat . n < 101 D f{n) = 
91. 
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Note that the computation of /(91) in the inductive step rehes on the fact 
that in our logic values of functions may always be computed for specific argu- 
ments, regardless of what we know about the function, regardless of whether it 
terminates in general. 
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Appendix A Derived rules 

We show how to derive the rules for imphcation D, but we need the following 
lemma. 

Lemma A.l. If r,Lp h tjj, where x ^ FV{r,ip,'il)) and y ^ FV{ip), then r,x : 
{y : Prop \ if} hip. 

Proof. Straightforward induction on the length of derivation, using rule Se to 
show that r \- X : {y : Prop | ip} implies F \- ip, if x ^ FV{F, ip) and y ^ FV{ip). 

Now the rules for D are derived as follows. 
The rule 

r\-ip: Prop r, if hip 

r h D V 

follows by 

r I- (/5 : Prop y ^ FV{F, ip) 
F h Pro]) : T\ })(> F, y : Proj) h p : Prop 



Fh{y: Prop | ip} : Type (a) 

r,ip\-i' 

(a) r,x : {y : Prop \ (p} \- tp 



The rule 



r\-\fx:{y: Prop | . V 

F,p'r't/j Fh ip 



follows by 



Fh ip 



F \- ip : Prop 



Fh {y: Prop | ip} : Type Th _L : Prop F \- ip y^ FV{F, ip) 

F\-±:{y: Prop | ip} (6) 

F\-Vx:{y: Prop | ^} . V' (&) 

Finally, the rule 

F \- ip : Prop F,ip \- ip : Prop 



ri- (v3 D V") : Prop 
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follows by 

rhip : Prop y ^ FV{r, (p) 
r h Prop : Type F, y : Prop h if : Prop 

r h {y : Prop | ip} : Type (c) 

r,if\-'ip: Prop 
(c) -T, X : {y : Prop \ ^p} \- if) : Prop ^ ^ 
r h (Vx : {y : Prop \ip} .ip) : Prop 

where we use Lemma lA. II to perform the inference (★). 
Appendix B Semantics 

In this appendix we define a semantics for I'^. This semantics will be used in 
[Appendix C| to show consistency of 1'^ . 

Definition B.l. An X'^-structure is a triple A = {A, •, []) where A is the domain 
of • is a binary operation on A, and the interpretation |]] : T x A^ A \s 
a function from terms and valuations to A. We sometimes write --^ and |]]'^ to 
indicate that these are components of A. 

A valuation w is a function v : V A. We usually write instead of 
IKt,?;), and we drop the subscript when obvious or irrelevant. To stress that 
a valuation is associated with an -structure A, we sometimes call it an A- 
valuation. By v[x/a] for a G A we denote a valuation u such that u{y) = vijj) for 
y ^ X and u{x) — a. We use the abbreviations T = {a <E A\\x : TypeJ^^^^j = 
|T]} and M = {a e A \ {x : NatJ^^^^j = |T]}. The symbols a, a', h, b', etc. 
denote elements of A, unless otherwise stated. We often confuse T, ±, Is, etc. 
with |T], [Is], etc., to avoid onerous notation. It is always clear from the 
context which interpretation is meant. 

Definition B.2. An I^-model is an I^-structure satisfying the following require- 
ments: 

(var) IJxJj, = v{x) for x €V, 
(app) [titaL = IhL ■ P2L, 

{(3) [Xx .tj^-a^ Mvlx/a] for every a e A, 

(fv) if v^FV{t) = wiFV{t) then [t]^ = 

(^) if for alia e A we have fXx . tij^-a = [Ax .t2L - a then [Ax . tij^ = [Ax . i2L, 
(pr) {aeA I [x : Prorf^^^^j = T} = {T, ±}, 
(pt) [Prop : Type] = T, 
(nt) [Nat : Type] = T, 

(Vt) if a £ T and for all c e A such that Is • c • a = T we have b ■ c = T then 
V-a-6 = T, 

(V^) if a G 7" and there exists c G A such that Is • c • a = T and & • c = _L then 
V-a-6 = _L, 
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(Ve) if V • a • 6 = T then for all c G A such that Is ■ c ■ a — T we have b ■ c — T, 
(Vg) ay ■ a ■ b = 1. then there exists c G ^ such that Is • c • a = T and b ■ c = ±, 
(Vi) V-a-5=Tiffa = Tor6 = _L, 
(V2) V-a-5 = _Liffa = _L and b = ±, 
(-it) ^ ■ a = _L iff a = T, 
^ • a = T iff a = _L, 

(— >i) a f E A, a € T and for all c G A such that Is-c-a = T we have Is- {f-c)-b — T, 

then Is • / • (Fun ■ a ■ b) — T, 
(— >e) if Is ■ / • (Fun ■ a ■ b) ~ T and Is • c • a = T then Is • (/ • c) • 6 = T, 
(->t) if a, 6 e T then Fun ■ a - b eT, 

(si) if Subtype -a-b G T, Is-c-a = T and 6 - c = T, then Is - c - (Subtype -a-b) — T, 

(s2) if Is - c - (Subtype ■ a ■ b) — T then b ■ c ^ T. 

(s3) if Is - c - (Subtype ■ a ■ b) — T then Is - c - a = T, 

(s4) if a G T and for all c G ^ such that Is - c - a = T we have 6 - c G {T, _L}, then 

Subtype - a - 6 G 7", 
(0) G A/", 
(zl) 0-0 = T, 
(z2) - (s - a) = _L, 
(pO) p - = 0, 
(pi) p - (s - a) = a, 

(nl) if a • = T and for all 6 G A/" such that a - 6 = T we have a - (s - 6) = T, then 

V-Nat-a = T, 
(n2) if a G TV then 5 ■ a eM, 

(e) if for a E T there exists b G A such that Is - 6 - a = T then Is ■ {e ■ a) ■ a — T , 
(cl) Cond - T - a - 6 = a, 
(c2) Cond - _L - a - 6 = 6, 
(eq) Eq ■ a ■ b — T iS a = b, 

For a term </? and a valuation u we write M,u \= f ii M^^* = T. Given a 
set of terms F, we use the notation M,u \= F if M,u \= (p for all (p E F. We 
drop the subscript A4 when obvious or irrelevant. We write F \= (p ii for every 
Xg-model A4 and every valuation u, the condition Ai,u \= F implies Ai,u \^ tp. 

Note that every (nontrivial) I^-model is a A-model. See e.g. [T71 Chapter 5] 
for a definition of a A-model. 

Lemma B.3. In every F'^ -model the following conditions hold. 

(Ai) A ■ a - b = T iff a = T and b = T, 
(A2) A-a-5 = _L iff ± or b ^ ±, 

(3t) i/ a G T and t/iere exists c E A such that Is - c - a = T and b ■ c — T then 
3 - a - 6 = T, 

(3t) if a G T and for all c E A such that Is - c - a = T we have 5 - c = ± then 
3 - a - 6 = _L, 

(3e) if 3 ■ a ■ b = T then there exists c E A such that Is - c - a = T and b ■ c = T. 
Here A = {Xxy . ^((-ix) V (^y))| and 3 = {Xxy . -i(Vx Az . ~'{yz))]\ . 
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Proof. Easy. 

Theorem B.4. //rhj/ ip then T ip. 

Proof. Induction on the length of derivation. All cases follow easily from ap- 
propriate conditions in the definition of an I^-model or from Lemma IB. 31 For 
instance, suppose P h Eq(Cond(/3ii ^2 ) {Condipt'i t2 ) was obtained by rule C3. 
By the inductive hypothesis we have r,ip \= Eqtit[ and P ^ (p : Prop. As- 
sume M,u \= P. We have M,u ^ ip : Prop, so fip : Prop|j^ = T. By con- 
dition (pr) we obtain (pj^ e {T,-L}. Suppose = T. Then M,u ^ 
P,(p, so [Eq^it'j]]^ — T. Hence by conditions (app), (eq) and (cl), we have 
|Cond(/?ii ^2 ]^^' = lGondpt'it2}{^ . By conditions (app) and (eq) we obtain 
M,u \= Eq(Condi^ti ^2 ) (Condi^t'i t2 ) ■ So suppose [i^]^ = ±. Then we ob- 
tain the thesis by applying conditions (app), (c2) and (eq). 

We also show how to handle the rule n^. So suppose P h (Vx : Nat . (p{x)) : 
Prop is obtained by rule n^. By the inductive hypothesis we have P \= <p>{0) : 
Prop and P, x : Nat, (p{x) ^ (p{sx) : Prop for x ^ FV{P, (p). Suppose A4, u ^ P. 
Since x ^ FV{P, ip), we have M,u[x/a\ \= P and M^^./^] = l<fj{^ for arbitrary 
a G M. Therefore by condition (pr) we obtain {ipj^ ■ [0]^ e {T, 1} and for 
every a G such that {ip}^ • a = T we have {tp}^ • (s • a) G {T,_L}. If 

there exists a e such that {ip}-^ ■a = L then |Va; : Nat . •p>[x)l-^ = -L by 
condition (V_l). Otherwise [Vx : Nat . 93(0;)]^ = T by conditions (nl) and (Vt). 
In any case 7V(, w |= (Vx : Nat . <p(x)) : Prop. 

Other cases are established in a similar way. 

Conjecture B.5. li P ^ ^p then P hx' ^. 

We do not attempt to prove the above conjecture in this paper, as it is not 
necessary for establishing consistency of 2^, which is our main concern here. 

Appendix C Model construction 

In this appendix we construct a nontrivial X^-model, thus establishing consis- 
tency of the system I'^. The construction is parametrized by a set of constants l. 
We will use this construction in the next appendix to show a complete translation 
of classical first-order logic into I'^ . 

The construction is an adaptation and extension of the one from [3] for the 
traditional illative system I^. The proof is perhaps a bit easier to understand, 
because we do not have to deal with certain oddities of traditional illative systems 
from [3], like e.g. the fact that t : Prop is defined as equivalent to (Ax . t) : Type 
where x ^ FV{t), using the notation of the present paper. 

For two sets ti and r2, we denote by rj^ the set of all (set-theoretical) func- 
tions from Ti to T2. Formally, / G rj^ is a subset of ti x T2 such that for every 
/i G Ti there is exactly one /2 6 T2 such that (/i, /2} G /• 
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Definition C.l. Let Prop = {T,±} and % = {tjProp, N, 0}, where N is the 
set of natural numbers and T, ± are fresh constantqj. We define Tn+i as follows. 

- If r G and t' <Z t then r' G Tn+i- 

- If ri,r2 G Tn then tJ' G Tn+i- 

The set of types is now defined by T — Tn- 

We define a notation r^'^^' "''^"^ inductively as follows: 

- ^(ri) ^ ^ri^ 

_ ^(Ti,T2,...,r„) _ j-^(r2,...,T„)-jri^ 

We define the set of canonical constants as S — tUPropUNUZ"/, where Sj 
contains a unique fresh constant for each function in IJ T- We denote the function 
corresponding to a constant c G Sf by J-{c). To save on notation we often confuse 
constants c G Sf with their corresponding functions, and write e.g. c G r instead 
of J-{c) G T, for T G T. It is always clear from the context what we mean. Note 
that if J-{c) G then ri is uniquely determined. This is because J-{c) is a 
set-theoretical function, i.e. a set of pairs, so its domain is uniquely determined. 
Note also that if J'(c) G t^^ and J'(c) G t^'^\ then T{c) G (t2 Ht^^K 

Let v,w S* . We write v \Z w if w = vu for some m G S*. We use the 
notation v \Z w when v \Z w and v ^ w. 

Definition C.2. A S-tree T is a set of strings over the alphabet S, i.e. a subset 
of S*, satisfying the following condition: 

- if w G T and w C w then v E T. 

A node of a Z'-tree T is any w E T. We say that a node w G T is a leaf if there 
is no w' G T such that w □ w'. If w G T is not a leaf, then it is an internal node. 
The root of a Z'-tree is the empty string e. 

We say that Ti is a subtree of T2 if there exists w G T2 such that Ti = {u G 
E* \wvG T2}. 

Note that a relation <, defined by Ti < T2 iff Ti is a subtree of T2, is a well- 
founded partial order, because Z'-trees have no infinite branches. This allows us 
to perform induction on the structure of a S-tree. We write Ti < T2 if Ti < T2 
and Ti^T2. 

The height h{T) of a S-tree T is an ordinal defined by induction on the 
structure of T. 

- If T = then h{T) = 0. 

- If T 7^ then h{T) = sup-r,<j,(/i(T') + 1) 

^ Thus, T and _L used in this section are distinct from the previously used abbrevia- 
tions T and _L for terms in the syntax of Is- 
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Definition C.3. The set of constants is defined as 

S+ = SLIT U {V, V, -., Is, Subtype, Fun, Eq, Cond, Choice, Type, p, s}. 

Note that for each r G 7" we have r e as a constant. Formally, wc should 
define for each t G T a fresh constant and an appropriate function mapping 
these constants to types, but we prefer not to complicate matters. 

We use to denote a set of variables of cardinality at least the cardinality 
of E*. 

The set of operation symbols Op is defined to contain the following: 

- • e Op, 

- if x e V+ then \x e Op, 

- if r e T and r ^ then At € Op and Sr G Op. 

Intuitively, At means "for all elements of r satisfying . . . " , and St means "a 
subtype of t consisting of elements satisfying . . . " . These will appear as node 
labels in a S-tvee representing a semantic term. A node labelled with e.g. St 
will have a child corresponding to each clement of t. The siibtype represented 
by this node will consist of those elements for which the corresponding child 
reduces to T. 

Definition C.4. A semantic term is a pair (Pos, k), where Pos is a S-tiee and 
K : Pos — >■ Op U 17+ U is a function such that: 

- w € Pos is a leaf iff k{w) G E+ U V+, 

- if k(w) = Xx then wO G Pos and wc ^ Pos for c 7^ 0, 

- if k{w) = ■ then wO, wl G Pos and wc ^ Pos for c ^ {0, 1}, 

- if k{w) G {At, St} then wc G Pos iff c G t. 

In other words, semantic terms are possibly infinitely branching trees, whose 
internal nodes are labelled with operation symbols Op, and leaves are labelled 
with constants from i7+ or variables from y+. 

We usually denote semantic terms by t, ti, t2, etc. We write Pos(t) for the 
underlying tree of t, and t'^ instead of k{p). 

The height of a semantic term t, denoted h{t), is the height of its associated S- 
tree. When we say that we perform induction on the structure of a semantic term 
we mean induction on h{t). By induction on an ordinal a and the structure of a 
semantic term we mean induction on pairs (a, h{t)) ordered lexicographically. 

A position in a semantic term t is a string w G Pos(f). The subterm of t at 
position p G Pos(t), denoted t\p, is a semantic term (Pos', k') where: 

- Pos' = {w€ S* \pwe Pos(t)}, 

- k'{w) = K,{pw). 

A variable x G is free in a semantic term t if there exists p G Pos(f) such 
that t^P = X and for no p' Q p we have t^P = Xx. A variable is bound if it is not 
free. 
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We identify a-equivalent semantic terms, i.e. ones diflfering only in the names 
of bound variables. We assume that no semantic term contains some variable 
both free and bound. We use the symbol = for identity of semantic terms up to 
a-equi valence. 

Substitution t[x/t'] for semantic terms is defined in an obvious way, avoiding 
variable capture. In other words, we adopt the convention that whenever we 
write a term of the form t[x/t'] we assume that no free variables of t' become 
bound in t[x/t']. 

In this section, when we speak of terms we mean semantic terms, unless 
otherwise stated. We often use abbreviations for semantic terms of the form 
Ax . t, t\t2, Ax. (Fun a; (^1*2)), etc. The meaning of these abbreviations is obvious. 

Deflnition C.5. A rewriting system i? is a set of pairs of semantic terms. We 
usually write — > ^2 G -R instead of (^1,^2) € .R. A term t is said to R-contract 
to a term t' at position p, denoted t — t', if p G Pos(t) fl Pos(t'), the terms t 
and t' differ only in subterms at position p, and there exists ti ^ t2 E R such 
that t|p = t\ and t'\p = t2- We write t -^r t' if t — t' for some p € Pos(t). 

For each ordinal a, we define two relations and by induction on the 
ordinal a and the structure of t. 

(a) UceS then c c. 

(b) If c G rj^ and for all Ci € n there exists t' such that tci t' T{c){c{), 
then t)^fiC. 

(1) lit = t' ovt t' then t t'. 

(2) If ti t[ and ^2 =>fl t'^ then tit2 i'l^- 

(3) If t ^f, t' then \x .t^J^Xx.t'. 

(4) If ti t[ and t2 t'2 then (Ax . ti)t2 =>r t^lx/t'^]. 

(5) If c e E+, n € N, ct[...t'^ t and ti for i = 1, . . . ,n, then 

ct\ . . .tfi 

(6) If t ci G n and c 6 t^^ , then ct ^(c)(ci). 

(7) If t c for some cerGT then 1st r =>g T. 

(8) If t^" = t'^" = At or tM = t'^' = Sr, and for all c e r there exists t" such that 
*|c t" t'lc, then t t'. 

The notation =^r" is an abbreviation for IJ7<a ^fl' ^'^^ ^^j" denotes the transi- 
tive-reflexive closure of =>^". The notation >-^" is an abbreviation for IJ7<a ^li- 
We define the relations ^r and )~r as the smallest fixpoint of the above 
construction, i.e. by monotonicity of the definition there exists the least ordinal C, 
such that ^'r = ^r^ and ^'r = ^r'' , and wc take =>7j = =>^, ^_r = ^^. Note 
that w steps do not suffice to reach the fixpoint. In fact, the ordinal ^ will be 
quite large. 

We denote by ^r the transitive-reflexive closure of ^r, and by <^7j the 
transitive-reflexive-symmetric closure of The subscript is often dropped 

when obvious from the context. 
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Notice that the relation encompasses an analogon of /3-reduction, regard- 
less of what the rules of R are. Intuitively, the relation is a kind of parallel 
reduction on semantic terms, parametrized by the rules of R. 

Lemma C.6. If R C R' then C and C 

Intuitively, and very informally, t c is intended to hold if c G t £ 7" 
is a "canonical" object which "simulates" t in type r. By c "simulating" t in 
type T we mean that c behaves in essentially the same way as t, modulo =>_r, 
whenever a term of type r is "expected" . Let us give some examples to elucidate 
what we mean by this. For instance, let ci € Nat^'^* — ti, C2 £ l'' = T2 be 
two constants such that J-"(ci)(c) = c for all c G Nat and J^(c2)(c) = c for all 
c e t. Note that by condition (6) in the definition of =>ij and the fact that 
ci '^R ci and C2 >-r C2 we have cic ^r c for all c e Nat and C2C ^r c for 
all c e t. Now we have both Xx.x ^r c\ and Aa; . a; C2, because \x.x 
behaves exactly like c\ when given arguments of type Nat, and exactly like C2 
when given arguments of type i. The condition (6) ensures that Xx.x and c\ will 
be indistinguishable wherever a term of type t\ is "expected" . For instance, if 
d £ J'^ then we have d{\x . x) ^r, T{d){ci). In fact, we will later prove that, for 
an appropriate rewriting system i?, the conditions tc ^r t' >-r c' and r >-r c 
imply the existence of t" such that tr ^r t" ^^r c', where t is an arbitrary term. 

Note that we may have ci ^r C2 with ci, C2 E ci ^ C2, if there does not 
exist a single t E T such that ci,C2 £ r. We will later show that this is not 
possible, for a rewriting system R to be defined, if such a r G T does exist. 

We will build our model from equivalence classes of <^r on semantic terms, 
for a certain rewriting system R to be defined below. One of the main problems 
in the model construction is to ensure that the condition (Ve) of Definition IB. 21 
holds. The problem is that condition (— needs to be satisfied as well, which 
means that we cannot know a priori which terms t should satisfy Is i r for a 
function type t € T, because this must depend on the definition of =^r for {^i) 
to hold. And we cannot use a conditional rule of the form 

if for all t such that 1st r =>r T wc have tit ^rT then V rti ^r T 

because the definition would not be monotone. Our solution is to restrict quan- 
tification to canonical constants only, and to define the relation =^r in such a 
way as to ensure that for each term t with Istr =^r T there exist a canonical 
constant c G r and a term t' such that t =^r t' >- c. 

Definition C.7. Let x be a choice function for the family of sets T\ {0}. We 
define a rewriting system R by the rules presented in Fig. [TJ 

The above is a circular definition because the condition in the rule for Eq 
refers to the system R. Note, however, that this reference is positive. Formally, 
we may therefore define a progression of rewrite systems Ra consisting of the 
above rules, but each using as R the system R^a = [Jj<a^i- We note that 
Ra C i?^ for a < ^ and take R to be the least fixpoint. 
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■t!jqtii2 - 


, -r 
-> I 


It ti O/j t2 


Vrt - 


.1 

t 


where r £ T , t y), t = At and f = tc tor c G r 


Subtype rt - 




where t € T, t v, t = St and t = tc for c £ t 


V0t - 


T 




Subtype 0t - 


■> 




t - 


■> T 


if t'^ s At and for all c £ t we have t\c = T 


t - 


■> ± 


if f'"^ = At and there exists c £ t such that t^,, = ± 


t - 


■>t' 


if t'*^ = St and for all c G t we have t^^ £ {T, _L}, 






and t' = {c € T \ t\c = T} 


Pun ri T2 - 




for Tl , T2 € T 


Cond T ti t2 - 






Cond -Ltit2 - 






VTt - 


■> T 




\/tT - 


■> T 




V±± - 


■> ± 




-.T - 


± 




^± - 


-> T 




pO- 


■> 




pm - 


■> n 


for m, n e N, m = n + 1 


p{st) - 


■> t 




sn - 


->■ m 


for m, n € N, m = n + 1 


oO - 


■> T 




on - 


■> ± 


for n G N \ {0} 


o{st) - 


■> ± 




Choice T - 


-> X(' 


if T G r, T ^ 


1st Type - 


■> T 


for T G T 



Fig. 1. The rules of the rewriting system R. 
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From now on R refers to the rewriting system defined above, and the rela- 
tions —7-, =>, =S>, etc. refer to -^r, =>i{, ^r, etc. We write ti — >■= t2 if h — t2 
or ti = t2- 

The three simple lemmas below follow by an easy inspection of the definition 
of R and of 

Lemma C.8. If c=> t where c G then t = c. 

Lemma C.9. If c occurs in the definition of R with n arguments and we have 
cti . . . tn t, then there exist t[,. . . ,t'^ such that ti t'^ for i = 1, . . . ,n and 
ct[...t'^^'^t. 

Lemma C.IO. Ift — ti and t — t2 then ti =t2- 
Lemma C.ll. The following conditions hold. 

- Vh t'l then ti[x/t2] ^'r^ t[[x/t2]. 

- Ifii ^Rp t'l then ti[x/t2] t[[x/t2]. 

- Ifti c then ti[x/t2] c. 

Proof. Induction on triples {j3,a,h{t{)) ordered lexicographically. 

We first show that t\ — >-jj^ t'l implies ti[x/t2\ -^'r^ t'i[x/t2]. The only non- 
obvious case is when ti = Eqrir2 T = f/i by virtue of ri -^R^f, r2. 

But then by the inductive hypothesis (for smaller (3) we obtain ri[x/t2] '^r^d 
r2[x/t2]. This implies that ti[x/t2] = Eqri[x/t2] r2[x/t2] -^r^ T = t[[x/t2]. 

We show that ti =>g^ t[ implies t-i[x/t2] ^^r^ t[[x/t2]. If ii = t[ then 
this is obvious. If ti -^r^ t'l then this follows from the previous condition. If 
ti=cri... r„ =^%^ t[, CG E+, cr[... r'^ t[, r, r^ then r^x/ta] ^r^ 
r'i[x/t2] by the inductive hypothesis (because h{ri) < h{ti)). As in the previous 
paragraph, it also follows from the IH that cr[[x/t2] ...r[^[x/t2] — t'Ij^ t'i[x/t2]. 
Therefore ti[x/t2] = cri[xlt2] . . .rn[x/t2\ =>Rf, t'i[x/t2]. All other cases follow 
easily from the inductive hypothesis, and we omit them. 

Now we prove that ti >-^^ c implies ti[x/t2] ^r^ c. If = c then this 
is obvious. Otherwise c G rj^ G T and for all ci G ti there exists t[ such 
that tici =^R^ t[ >-^" J^(c)(ci). But then by the IH we have ti[x/t2]ci =^r^ 
t'i[x/t2] -^(c)(ci). Therefore t,[x/t2] )-%^ c. 

Lemma C.12. Ift2 t'2 then ti[x/t2] ti[a;/ty. 

Proof. Induction on the structure of ti. If ti = x or x ^ FV{ti) then this 
is obvious. If ti'^ G {At, St} then by the inductive hypothesis ti\^[x/t2] 
filcfx/tj] for c G T. Therefore ti[x/t2] ti[x/t'2\. Other cases follow directly 
from the inductive hypothesis in a similar fashion. 

Lemma C.13. Ifti t[ and t2 4 then ti[x/t2] i'Ja;/^]. 
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Proof. Induction on a and the structure of ti . 

If ti = t[ then the claim follows from Lemma IC.12I If ti — t[ then we 
consider possible forms of ti. Suppose ti = Eqr'ir2 T = t'l by virtue 
of ri r2- By Lemma IC.llI we have ri[x/t2] <S> r2[x/t2]. Hence ti[x/t2] = 
Eqri[x/t2]r2[x/t2] T = t[[x/t'2]. Suppose ti = Mrt t[ where t e T, 
t'l'" = At, and for all c G r we have t[^^ = tc. Then t[x/t2\ ^[a;/^^ by 
the inductive hypothesis, and 'iT{t[x/t'2\) — J^*^ t'i[x/t'2\ by Lemma [0.111 Hence by 
condition (5) in the definition of we obtain ti[a:/t2] = ^T{t[x/t2]) t'i[x/t'2\. 
Other cases are established in a similar manner. 

If ti = {Xy ■ri)r2 f[[y/r'2] = t[ where x ^ y, ri r'^ and r2 rg, 
then by the inductive hypothesis ri[a;/t2] ''^i[^/t'2\ ^^i^ f2[x/t2] f2[x/t2]. 
Recall that by our implicit assumption that in ti[x/t2] no free variables of t2 
become bound, we have y ^ FV{t2), and hence y ^ FV{t2). Thus ti[x/t2] = 
{Xy.n[x/t2])r2[x/t2] ^" r[[x/t'2][y/{r'2[x/t'2])] ^ (ri[2//ri])[xA^] ^ 

If ^1 = cri . . . r„ ^^'^ i']^ where c e 17+, r.^ r'^ for i = l,...,n, and 
cr[...r'„ -^^ t[, then cr^ [x/i^ . . . r;[x/t^] -><^ t'JxAa] by Lemma [011] and 
'fi{x/t2] ''i[a;/^2] by the inductive hypothesis. We thus conclude ti[x/t2] = 
cri[x/t2]...rn[x/t2] 

If = Istr T = t'l where i c for some c G r, then i[a;/t2] c 
by Lemma [am Therefore ti[x/t2] = lst[x/t2]T T = 

If ii'*^ = i']^'' = At and for all c £ r there exists tc such that ti^^ =y^" 
t'^l^, then tnc[x/t2] ic[a;/^2] by the inductive hypothesis. By Lemma [C.lll we 

obtain tc[x/t'2] ^"^^ i'liJa;/^^. This implies that ti[x/t2] ^ii^^/iy- 
Other cases follow by analogous proofs. 

Lemma C.14. If c e , n e N, cti . . . tn t and ti t'^ for i = 1, . . . ,n, 

then there exists t' such that ct'i . . . t' and t t' . 

Proof. If ctit2 = Eqti t2 T then ti ^ t2. Since C ^, we have t[ ^ t^. 
Thus Eqt[t'2 T. 

Suppose ctit2 = Vrt2 — i where t £ T, t'*^ = At, t^^ = ^2C for c G t. We 

have yTt'2 — S"*^ t' where t''^ = At and t'\c = ti^c for c £ t. Since t2C tjC, by 
condition (8) in the definition of we conclude that t t' . 

If rfi = \){st) -^'^ t then st tj. By Lemma [0.91 there exists r such that 
t r and sr — >L t'l. If sr = t[ then ci^ = p(sr) — ^-"^ r and we are done. 
Otherwise r = n and t'l = m, where n,rn G N and m = n + 1. We thus have 
ct'i = pm — ^■'^ n = r. 

Other cases are trivial or follow by a similar proof. 

Definition C.15. We say that two binary relations on terms -^i and — >2 com- 
mute if ti — J>i t'l and ^2 -^2 t'2 imply t'^ -^"^ t^ and t'2 — 5>f ^3 for some term ^3, 
where — is the reflexive closure of —^-i. 

Lemma C. 16. If and commute for all a' oi a and (3' 02 13, then 

and ^ -^oia *^2f} ^ ^^^^ =>°2/3^ commute. Here 01,02 G 

{<,<} anrf^^T^^'^ for-fe {a,l3}. 
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Proof. The proof is a simple tiling argument similar to the proof of the Hindley- 
Rosen lemma, see e.g. [Hi Chapter 3]. 

Lemma C.17. For all ordinals a, /? the following conditions hold: 

(i) and commute, 
(a) ift-^^c and t =>f^ t' then t' c, 
(Hi ) if t ci, t C2 and Ci, C2 £ r G T then c\ = C2. 

Proof. The proof is by induction on triples (a, /3, ordered lexicographically, 
where in condition {%) the term t is such that t =4>" t\ and t ti for some ^1,^2- 
Together with condition (ii) we also prove its dual, i.e. the condition with a 
and /3 exchanged. We only give a proof for the original condition, but it is easy 
to see that the dual condition follows by exactly the same proof but with a and /? 
exchanged. 

We first show condition (i). Assume t =^>" t\ and t ^2- We need to show 
that there exists t' such that ti t' and ^2 t'. It is clear that it suffices to 
consider only the situations when t ti follows by condition (m) and t t2 
follows by condition (n) in the definition of =4^ for m < n, provided that we 
never use the inductive hypothesis with /3 increased, which is easily verified to 
be the case. Indeed, then we may use exactly the same proofs, but with a and /3 
exchanged, to handle the cases when m > n. 

li t = ti 01 t = t2 then the claim is obvious. Suppose t ti follows 
by condition (1) in the definition of Then t — ti. By Lemma [C.IOI it is 
impossible that t t2 follows by condition (1) in the definition of , unless 
ti =t2. Suppose that t t2 follows by condition (5). Then t = cri . . . r„ — ti, 
Ti r[ and cr'^ . . . r^j — t2. By Lemma FC . 141 there exists t' such that ti t' 
and cr'i . . .r'^ -^^ t' . But by Lemma IC.IOI we have t' = t2. The only remaining 
possibility, when t ti follows by condtion (1), is that t t2 follows by 
condition (2). But then the claim follows from Lemma [0.141 

Suppose t = rir2 r^rj = ti where ri and r2 r'^. If t t2 

follows by condition (2) then t2 = r'^r!^ where ri =^>^ r" and r2 r'^. By the 
inductive hypothesis (note that h{ri),h{r2) < h{t)) there exist qi, q2 such that 
r[ gi, r'( qi, r'2 ^P q2 and r'^ q2. Thus ti = r[r'2 qiq2 and 
t2 = r'Ir'i gi<Z2. 

It is not possible that t t2 follows by condition (3). If it follows by 
condition (4) then ri = Xx .si, r[ = Xx . s[, si s[, and t2 = s'dx/r!^] where 
Si =>'^ s'/, r2 ^P rj. By the inductive hypothesis there exist qi and 92 such 
that s[ ^P qi, s'l gi, r'2 q2 and r!^ 52- By condition (4) in the 
definition of we have ti = {Xx . s'i)r'2 qi[x/q2]. By Lemma IC.131 we 
obtain t2 = s'([x/r2] qi[x/q2]. 

If t ^P t2 follows by condition (5) then ri = csi . . . s„, Si s", r2 
and cs" . . . s'^r!^ — J'^ ^2- By inspecting the definition of R we see that in this case 
cqi . . .q-m — r'l is not possible for any qi, . . . ,qm and any m < n. By inspecting 
the definition of we thus see that ri r[ is only possible when r[ = 
cs'i . . . s'„ and Si s[. By the inductive hypothesis there exist qi, . . . , qn+i such 
that s" =>" qi, s- gi for i = 1, . . . , n, and Qn+i, r'2 =>'^ gn+i- Therefore 
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cs'i . . . =i>'^ cqi . . . qn+i and cs" . . . s^Tj cqi . . . g„+i. By Lemma IC.14I 
there exists t' such that ^2 t' and cqi . . . qn+i -^'^ t'. Hence by condition (5) 
also h = cs[ . . . s'y2 t'. See Fig. [2 

=?> csi . . . s„r2 
I 
I 

=> cgi . . . qnqn+i 
I 
I 

ye 

= = = 

Fig. 2. 

If t ^2 follows by condition (6) then ri = r[ = c £ r2 )^^^ ci S ti 
and t2 = J-{c){ci). By part (ii) of the inductive hypothesis we conclude that 
r'2 >-<^ ci. Therefore h = cr'^ ^(c)(ci) = t2. 

If t t2 follows by condition (7) then ri = Iss, r2 = r, r'j^ = Iss', s s', 
^2 = T and s >-^^ c for some c £ t E T. By part (zj) of the inductive hypothesis 
we have s' c. Therefore ti = Iss'r2 T = ^2- It is easy to see that it is 
impossible that t t2 follows by condition (8). 

Now suppose that t ti follows by condition (3). Then t = Xx.r and 
ti = Xx . ri where r ri . It is easy too see that the only possibility is that 
t t2 follows by condition (3) as well. Then t2 = \x. r2 where r r2- By the 
inductive hypothesis there exists q such that ri q and r2 q. Therefore 
t\ = \x . ri Xx . q and t2 = Xx . r2 Xx . q. 

Suppose that t ti follows by condition (4). Then t = (Aa;.ri)r2 and 
ti = r[[x/r'2] where ri r'^ and r2 rj. It is easy to see that the only 
possibility is that t t2 follows by condition (4) as well. Then t2 = 'r'i[x/r2] 
where ri r'{ and r2 r!^. By the inductive hypothesis there exist qi and (72 
such that r[ qi, r'{ qi, r'2 (72 and q2- Therefore by Lemma [C.13l 

we obtain ti = r[[x/r'2] qi[x/q2] and ^2 = ''1 [a;/''2] Qi[^/Q2]- 

Suppose that t ti follows by condition (5). Then t = cri . . . r„, 
and cr[ ■ ■ .r'^ — ii. If i ^2 also follows by condition (5), then there exist 
r'l, . . . , r" such that r" and cr'/ . . . r" ^-"^ ^2- By the inductive hypothesis 

there exist gi, . . . , g„ such that r'^ qi and r" qi. Therefore cr'^ . . . r^j =>'^ 
cqi ■ . .qn and cr" =4>" cgi . . .qn- By Lemma IC.14I there exist t'j^ and t'2 

such that ii t'^, t2 ^'2, c<?i . . . g„ t'^ and cqi...qn -^'^ t'2- But by 
Lemma [OTOl we have t'^ = t'2. See Fig. [1 

It is easy to verify that it is not possible that t t2 follows by condition (6). 
If t t2 follows by condition (7), then we must have c = Is, ti = t2 ^ T. It is 
not possible that t t2 follows by condition (8). 

Suppose t ti follows by condition (6). Then t = cr =^>" J'(c)(ci) = ^2 
where c e tJ^ and r ci £ n. It is easily verified that the only possibility is 



csi . . . s„r2 = 
cs" . . . s^ra = = 

to = = = = 
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Fig. 3. 



when t t2 follows by condition (6) as well. Then t2 = !F{c){c[) and r >-<'^ c[ 
for some c[ S ti. By part (in) of the inductive hypothesis we obtain c[ = c\. 
Hence t\ =t2- 

Suppose t t\ follows by condition (7). Then i = Is rr, ti = T, and 
t =>^ t2 may only follow by condition (7). But then we have t2 = T = ti. 

Finally, suppose t ti follows by condition (8) and so does t ^2- 
Then e.g. i'^ = ii'*^ = t2'' = At, and for all c G t there exist and t'^ such 

that t|c tc =^'^" ti|c and t\c t'c t2\c- By the inductive hypothesis 

there exists r such that tc r and t'^ r. By the inductive hypothesis and 
Lemma [C.16l there exist qi and q2 such that 91, r gj^^ f2|c 92 and 

r 52- Again, by the inductive hypothesis and Lemma IC. 161 there exists qc 

such that qi qc and (72 g^,- Hence for all c G r there exists qi such that 

ti^c Qi =^^'^ qc, and for all c G t there exists (72 such that i2|c 'i'2 g^,. 
Let q be such that g'*^ = At and gi^, = qc for c G r. By the above considerations 
we have ti g and t2 9- See Fig. S] 



i^/3 

> r = 
II 



II 

II 

II* 



t2|c = = => 92 = = ^ gc 



Fig. 4. 



Now we show condition (ii). Thus suppose i c and t =>'^ t'. If i = c 
then t' = c and thus t' c. Otherwise c G and for all ci G ri there 

exists r such that ici r J^(c)(ci). Then tci t'ci and we conclude 

by part (i) of the inductive hypothesis and Lemma IC.16I that there exists r' 
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such that r r' and t'ci ^ " r'. By part {ii) of the inductive hypothesis 
we obtain r' J-{c){ci). Thus for every ci £ ti there exists r' such that 

t'ci r' J'(c)(ci). Hence t' ^" J^(c)(ci). See Fig.E] 



tci > r J^(c)(ci) 

II 
II 



Fig. 5. 



It remains to show condition {Hi). Thus suppose t ci and t C2 for 
ci , C2 G T G T. If T C Prop, r C t or r C Nat then t = ci = C2 because in this 
case t >-"' ci and t C2 may only be obtained by condition (a) in the definition 
of Otherwise r C rj^ and e.g. t ci is obtained by condition (b), hence 
a > 0. 

If ci ^ C2 then there exists c £ ti such that J^(ci)(c) ^ 7^(c2)(c). There 
exists ti such that te =^>*^" ti >-^" 7^(ci)(c). If t = C2 then by inspecting the 
definitions we see that this is only possible when C2C F{c2){c') J-"(ci)(c) 
where c )^^'*' c' £ ri and 7 < a. By condition (a) we have c c. Since 
c, c' G Ti and 7 < a we conlcude by part (Hi) of the inductive hypothesis 
that c = c'. Thus J^(c2)(c) -F(ci)(c). Obviously -F(c2)(c) -F(c2)(c) and 
J-'{c2){c),J-'{ci){c) £ T2, so again by part {Hi) of the inductive hypothesis we 
obtain J^(ci)(c) = J-"(c2)(c). Contradiction. 

Thus assume that t C2 also follows by condition (b) in the definition 
of ^. Then there exists ^2 such that tc ^2 >~^^ -^(c2)(c). By part (i) of the 
inductive hypothesis and Lemma IC.16I there exists r such that ^2 r and 

^ r. By part (ii) of the inductive hypothesis we have r J^(ci)(c) and 
r >~'^^ J-{c2){c). By part (iii) of the inductive hypothesis we obtain J-{cx){c) = 
F{c2){c). Contradiction. See Fig. [51 



tc * ^ti -F(ci)(c) 
I 
I 

t2 = = = = -F(ci)(c) 




.F(C2)(C) .F(C2)(C) 

Fig. 6. 
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Corollary C.18. The relation =^ has the Church-Rosser property. 

Definition C.19. The rank of a type t & T, denoted rank(r), is the smallest 
n G N such that r e 7^. The canonical type of a canonical constant c G S, 
denoted t(c), is defined as follows. 

— If c G t then r(c) = l. 

— If c S Prop then t(c) = Prop. 

— If c e Nat then t(c) = Nat. 

— Otherwise let tJ^ € 7" be such that c G rj^ and rank(T2) < rank(r2) for 
every T2 G T such that c S T2^\ Then t(c) = rp. Note that there may be 
more than one T2 satisfying the above condition. In this case we arbitrarily 
choose one of them, and it does not matter which. 

The rank of a canonical constant c, denoted rank(c), is the rank of its canonical 
type. 

Lemma C.20. The following conditions hold. 

— For all Ti,T2 G T we have rank(Ti), rank(r2) < rank(T2^). 

— If c € T then rank(c) < rank(T). 

Proof. For the first condition, note that rank(T2^) > and if rj^ G Tn+i then 

Tl,T2 G Tn- 

If t(c) G {t, Prop, Nat} then the second condition is obvious. Otherwise 
r(c) = rjS and if c G r then r = tJ^ and rank(r2) < rank(r3). Suppose 
rank(Ti) = ni, rank(r2) = n2, rank(T3) = n^. Then n2 < ns, rank(c) = 
max(ni,n2) + 1 and rank(T) = max(ni,n3) + 1. Thus rank(c) < rank(r). 

Definition C.21. We write t ^ c if c G rj^ and for every ci G n there exists tci 

such that for all ti with ti y- ci we have tti ^ tci >~ ^{c){ci). If for some ci G ti 
there is more than one term tc^ satisfying the above condition, then we fix one 
arbitrarily, but globally, i.e. given t and c such that t ^3 c we assume that is 
uniquely determined for each ci G n, and it depends only on t, c and ci. Note 
that if t ^ c then t y c. 

Let t y c. The mutual rank of t and c, denoted rank(t, c), is defined by 
induction on rank(c). If t = c then rank(t, c) = 0. If t ^ c then rank(t, c) = 
rank(c). If t ^ c but t ^ c then c G and rank(t, c) is defined by 

rank(t, c) = sup rank(fci , ^(c)(ci)) 

ciGri 

where tci is the term required by the definition of ^, such that for all terms ti 
with ti >- c\ we have tt\ 4> tc^ >■ T(c){c\). Note that rank(f, c) < rank(c), and 
if t ^ c then rank(i, c) < rank(c). 

Two positions pi,P2 G 17* are parallel if neither pi C p2 nor p2 E Pi- We 
write ti ;S>" ^2 if there exists a set P C Pos(fi) n Pos(t2) of pairwisc parallel 
positions such that for p G P we have ti\p >- t2\p and ti\p ^ t2\p, no free variables 
of ti\p become bound in ti, for every p G Pos(fi) \ P we have p G Pos(t2) and 
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ti''' = t2'^, and rankp(ti,t2) < where iankp(ti,t2) — sup^gp rank(ti|p, i2|p)- 
We write ti t2 if the same conditions hold except that rankp(ti,i2) < n. 

We write ti > t2 if ti »" t2 for some n eN. 

Lemma C.22. //ii >" t^, >" ^'2 and x ^ FV{ix\^) for all p G Pi, where Pi 
is the set of positions required by the definition of ti t[, then ti[x/t2\ 
t'i[x/t'^]. 

Proof. Let P2 be the set of positions required by the definition of t2 t2- Take 

P = Pi u {p e Pos(ti[x/i2]) I P = P1P2, =x,p2e P2} 

as the set of positions required by the definition of ti[x/t2\ t'^[x/t'^. 
Lemma C.23. The following conditions hold, 
(i) Ifti >" t2 t'2 then ti => t[ >" t'2. 

(a) Ifti t'^ andt2 t'l then there exists t'2 such thatt'2 ti andt'2 t2. 

(Hi) Ifti >" t2 c then ti >- c. 

Proof. Induction on tuples {n, /S, a, h{t2)) ordered lexicographically. 

We first show condition (i). Thus suppose ti t2 ^'r^ t'2- We consider 
possible forms of ^2 according to the definition of 

If t2 = t'2 then the claim is obvious. If t2 ^'p^ t'2 and t2 =>p^ t'2 follows 
by condition (1) in the definition of then the only non-obvious case is when 
t2 = Eqri r2 ^-^^ T = ij. Then ri <S'fl<^ ^2 and ti = Eqr'^ where r'^ ri 
and r'2 r2. It follows from parts {i) and (ii) of the inductive hypothesis that 
r'l ^ Thus T = t'2. 

If ^2 =>p^ ^2 follows by condition (2) then t2 = rir2, ^3 = ''1^21 '^i =^^^3 ''i 
and r2 =>'r^ r'2. We must also have ti = qiq2 where qi ri and 92 3>" ^2. By 
the inductive hypothesis [h{ri),h{r2) < '1(^2)) there exist q'l and such that 
qi ^ q'l, q2 4 q'2, q'l >" r'^, q'2 »" r^. Thus ti = qiq2 4 g^q^ »" r'^r'2 = t'2. If 
t2 =^p^ ^2 follows by condition (3) then the argument is analogous. 

Suppose t2 t'2 follows by condition (4). Then t2 = {Xx.ri)r2 and t'2 = 

r'i\xlr'^ where ri =>p^ r'^ and r2 =>p^ r'2. We must also have ti = (Ax.gi)(3'2 
where ri and 92 3>" ^2. By the inductive hypothesis there exist qj^ and ^2 

such that =4> gi, (72 4> ^2' ^'i '''i: 92 ''2- Lemma rC.22l we obtain 
»« r'^{xlr'2\. Thus = (Aa;. 91)92 ^ gi[a;/<zi] »" r'i[a;/r^] = t'2. 

Suppose t2 t'2 follows by condition (5). Then t2 = cri . . .rm, ri =>p^ r'^, 
cr'i . . .r'^ ~^i?;3 ^2- definition of Rp, the constant c is not a canonical 

constant. This implies that ti = cqi...qm where qi r^. By the inductive 
hypothesis {h{ri) < h{t2)) there exist q'l, ■ . ■ ,q'„i such that q'^ r'^ and qi g-. 
Thus cq'i . . . q'„^ cr'^ • • • ~^Rii ^2 ■ ^^^^ have already verified in this 
inductive step that this implies that there exists i'l such that cq'i . . .q'^=^ t'^ 
t'2. Therefore ti = cqi . . . qm ^ cq'^ ■ . ■ qm ^ i'l t'2. 
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Suppose t2 t'2 follows by condition (6). Then t2 = cr'2, t'2 = C2 = 

F{c){ci), r'2 ci e Ti, t(c) = rj^ for some T2 £ T- We also have ti = 

rir2 where ri c, hence ri :^ c, and r2 ci. By part (iw) of 

the inductive hypothesis we obtain r2 >- ci. First assume that ri = c. Then 
ti = rir2 = cr2 =J> T{c){ci) = t'2 by virtue of r2 >- ci, and we are done. So 
suppose ri ^ c. If ri ^ c then let q be the term required by the definition 
of ^, such that for every term r with r )~ ci we have rir q >- C2. Then 
rank(g,C2) < rank(ri,c) < n, and ti = rir2 => q >~ C2, because r2 >~ c\. So 
t\ ^ q 3>" C2 = ^2, which is our claim. Therefore suppose r\ ^ c and r\ ^ c. 
Then we have rank(r2,ci) < rank(ci) < rank(Ti) < rank(c) = rank(ri,c) < n 
by Lemma [C.20I Thus r\r2 :3>^" ?'ici. By the fact that ri >- c there exists t 
such that rici t ^ J^(c)(ci). By part (i) of the inductive hypothesis there 
exists t' such that rir2 ^ t' ><" t. Let C2 = -F(c)(ci). We have t' ><"■ 
t ;^ C2, so by part [iii) of the inductive hypothesis we obtain t' >■ C2- Since 
rank(t',C2) < rank(c2) < rank(r2) < rank(c) — rank(ri,c) < n, we conclude 
that ti = rir2 ^ t' >" C2 = t'2. 

Suppose t2 t'2 follows by condition (7). Then t2 = lsr2 t , t'2 = T, 

ti = Isri r , ri r2, and r2 >-^" c for some c G r £ T. By part (mi) of the 
inductive hypothesis we have ri >- c. Therefore ii = Isri r =^ T = ^2- 

Finally, suppose t2 t'2 follows by condition (8). Then e.g. ^2'*^ = ^2'*^ = 

til*^ = At, and for all c € r there exists tc such that t^^ t2\c ^Ri^ tc ^fl" 
t2|c- By part (i) of the inductive hypothesis {h(t2\c) < ^(^2)) there exists t'^ such 
that 4> tc- Applying the inductive hypothesis again, we conclude that 

there exists qc such that t'^ ^ qc t2|c- ^et q be such that g'*^ = At and 
g|c = qc for c G r. Then =^ q^c for all c G r, and hence ti — !■ q. We also have 
q t'2, because q\c i2|c f^^' c G r. 

We now show condition {ii). Thus suppose ti t'^ and ^2 =>^^ ^i- We 
consider possible forms of ^2 according to the definition of t2 t'l ■ 

If ^2 = t'l then the claim is obvious. If t2 follows by condition (1) in 

the definition of , then t2 -^r^ i'l and the claim follows easily by inspecting 
the definition of Rp. If t2 ^r t'^ follows by condition (2), then ^2 = rir2, 
t'l = r'ir'2, ri r'l, r2 ^% r'2, ti = q'iq'2, q'l >" r^, q'2 »" r^. By the 

inductive hypothesis {h{ri), h{r2) < h{t2)) there exist qi, q2 such that qi ^ q'^, 
92 ^ 92: 91 >" ^1. 92 »" ?'2- Thus qiq2 4> and (7152 >" i2. If ^2 i'l 
follows by condition (3) or condition (4) then the argument is analogous. 

If t2 =^Rp t'l follows by condition (5) then t2 = cri...rm, fi =^'r^ r-, 
cr'i . . . — i>^^ t'l, ti = cq'i ... 9^, 9- r-. By the inductive hypothesis there 
exist qi, . . . ,q,n such that qi => q'^ and qi r.;. Let q = cqi . . . q^- We have 
q »" t2 and q 4> cg^ . . . q'„^ = ti. 

If ^2 ^Ri^ t'l follows by condition (6) then t2 = cr, t'l = C2 = 7^(c)(ci), 
c G r ci G n, ti C2. If ii = C2 then the claim is obvious. 
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Otherwise ti > C2. Let e e [Vvop^^Y^ be such that for di,d2 € n, we have 
T{e){d\){d2) = T if di = d^, and T{e){di){d2) = -L if di ^ d2- Let g = 
Ax.Cond (ecix) ii (ex) .If s >~ d ^ ti and d^ c\ then Cond (ecis) ti (cs) 4> 
Cond _L ti J'(c) (d) T{c){di). If s ;^ ci then qs =^> Cond (ecis) (cs) 
CondTti(cs) ^ t\ >- T{c){c\) = C2. Therefore 9 ^ c, and rank(g, c) = 
rank(ti,C2) < n, since rank(J^(c)((i), J^(c)(d)) = 0. Thus qr cr = f2 and 
gr ^ ii, because r > c\. 

If f2 =^^^ i'l follows by condition (7) then the claim is obvious. If ^2 =^fl^ ^'i 

follows by condition (8) then e.g ^2'^ = i'l'^ = ii'* = At and for all c G r there 
exists tc such that t2\c =>^^ =^fl^ ^\\c- We also have fij^ t\^^ for all c £ r. 
Therefore by the inductive hypothesis for every c S r there exists t'^ such that 
t'^ tc and 4> Again, by the inductive hypothesis (/i(t2|c) < h{t2)), for 
every c G r there exists such that qc t2|c and =4> 4> Let g be 
such that gl*^ = At and gj,, = gc for c G t. Then g t2 and q ^ ti. 

It remains to show condition (Hi). Thus suppose ti ^2 ^^^^ c. If t2 = c 
then the claim is obvious. Otherwise c e rj^ and for every ci £ ti there exists g^ 
such that t2Ci ^^r" gci >-^" c. Since tici t2Ci, by part (i) of the inductive 
hypothesis for each ci € n there exists g^^ such that tici 4> g^^ g^ c. 
By part {Hi) of the inductive hypothesis we obtain g^^ :^ c. This implies that 

y c. 

Corollary C.24. If t2 ^ c and tic 4> d € Prop, t/ien tit2 4> d. 

The above lemma and the ensuing corollary confirm our intuition about the 
meaning of This basically finishes the hard part of the proof. What remains 
are some relatively straightforward lemmas. 

Definition C.25. We write t>T if t^t'yc for some term t' and some c G r. 

Lemma C.26. We have Isti t2 ~^ iff there exists t £ T such that ti t> t 
and t2 ^ T. Moreover, this t gT is uniquely determined. 

Proof. If t2 ^ T £ T and ti =^ t' y c for some c £ r then Isti ^2 Isfi r => 
1st' T T by condition (7) in the definition of =^'. If Is tit2 <S> T then Is ti t2 4> 
T by the Church-Rosser property of => and the fact that T is in normal form. 
But this is only possible when Is tit2 ^ Ist' t => T where t lE T, t2 ^ t and 
ti^ t' >- c for some c £ r, i.e. ti \> r. 

To see that t is uniquely determined it suffices to notice that it is in normal 
form w.r.t. ^ and has the Church-Rosser property. 

Lemma C.27. The following conditions hold. 

(a) If T eT and for all t2 such that t2 > t we have tit2 T , then Vrti <S> T. 

(b) If T G T and there exists t2 such that t2 \> t and tit2 -L, then Vrti _L. 

(c) Ifytit2 T then for all ts such that Ist^ti 4>T we have t2tz ^ T. 
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(d) Ifytit2 <S> -L then there exists t^ such that Ist^ti T and t2tz <S> ^• 

Proof. We show condition (a) . Suppose t ^ T and for all t2 such that t2 > t we 
have tit2 <S> T. If r = then V0ti — > T and the claim is obvious. Otherwise we 
have Wrti t where i'*^ = At and t\^f, = tic for c G t. Since c G t we have c > t, 

so tic <S> T, hence tic T by the Church-Rosser property. Therefore i 4> T. 
Condition (b) is shown in a completely analogous way. 

We show condition (c). Suppose \/tit2 T. Then Vtit2 =5> T, which is only 
possible when \/Tt2 =^ T and ti ^ t for some t & T- Suppose ^3 is such that 
Iststi <^ T. Then Iststi =4> T, and we must have ti ^ t' e T and ^3 > t', 
by Lemma IC.261 Because both t and t' are in normal form, we conclude by 
the Church-Rosser property that t = t' . Hence ^3 > t, i.e. ^3 ^ ^3 :^ c G t. 
Since Vt<2 =5> T, it is easy to see by inspecting the definitions that t2C ^ T . By 
CoroUarv IC . 241 we obtain ^2^3 =^ ^2^3 =^ T. 

Condition (c) follows easily from definitions, Lemma IC.261 and the Church- 
Rosser property. 

Lemma C.28. The following conditions hold. 

(a) //ti,T2 G T and for allt2 such thatt2 > ti we have tit2 t> T2, thenti > tJ^ . 
(h) //ti,T2 €zT, ti > tJ^ and t2 > ti then tit2 > T2. 

Proof. We show condition (a). Suppose ti, T2 G T and for all ^2 such that t2 > ti 
we have tit2 > r2. Let c G ti. We obviously have c > ti, so tic O T2, i.e. there 
exists a term and a constant c't2 such that tic ^ tc >- c' . Recall that tJ"^ 
consists of all set-theoretic functions from ti to T2. In particular, there exists 
d G tJ^ such that F{d){c) = c' for every c G ti and c' G T2 depending on c as 
above. But then ti >- d, and hence ti O tJ ^ . 

We show condition (b). Suppose ti,T2 G T, ti > rp and t2 l> n. Then 
ti t[ >- c £ tJ^ and t2 ^ ^2 G ti. By condition (6) in the definition 

of ^ we obtain ct'2 => J'(c)(ci) >~ J^(c)(ci) G T2. If t'l = c then tit2 0^2 ^ 
J^(c)(ci) G T2, so iit2 > T2. Otherwise t'it'2 ^ ct'2 =^ -^(c)(ci), and by part (i) 
of Lemma [0.231 there exists t such that ^1^2 =5» i']^t2 =^ ^ ^ -^(c)(ci) G T2. Hence 

tlt2 > T2. 

Lemma C.29. // Subtype ii t2 <S> t G 7" then there exists t' G T sztc/i that 
T t' , ti ^ t' , and for all terms t^: 

(a) if t^ [> t' then ^2^3 t> Prop, 

(b) ts [> T iff ts [> t' and ^2*3 ^ T. 

Proof. Suppose Subtype ^1^2 <S> t G T. Since t is in normal form, we conclude 
by the Church-Rosser property that Subtype ^1^2 ^ By inspecting the defi- 
nition of R we see that this is only possible when t' G T. If t' = then 
Subtype ii ^2 and by the Church-Rosser property we obtain t = 0. If t = 
then obviously t C t' and both conditions (a) and (b) are satisfied, because 
for any i3, as ^3 O would require the existence of some c G 0. 
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So suppose t' ^ and r ^ 0. Then Subtype T'i2 — 5" t where i'^ = Sr' and 
t\c = for c e r'. By the Church-Rosser property we have t ^ t, and by 
inspecting the definitions we easily see that this is only possible when = 
t\c ^ dc £ Prop for every c & t' and t = {c G t' \ dc = T}. But then obviously 
r C r'. To show (a) suppose O r', i.e. t:i ^ t'^ >~ c £ t' . By Corollarv lC.241 we 
obtain ^2^3 =^ rfc £ Prop. We now prove (b). Suppose ^3 [> r, i.e. ^ c e r. 

Since r C r' we obviously have ^3 [> t'. By CoroUarv I C . 241 we obtain ^2^3 ^ ^c. 
Since c G r we have dc = T. For the other direction, assume ^2^3 =^ T and 
ts \> t', i.e. ^3 4> ^ c e r'. By Corollarv fC.241 we have ^2*3 ^ 4 e Prop. By 
the Church-Rosser property we conclude dc = T. Hence c G t and ^3 > r. 

Lemma C.30. (a) Viit2 <S> T jj(f <S> T or t2 <S> T. 

(b) \/tit2 <S> -L ijjh ^ ± and ^2 ^ -L- 
('c^ If T £ T and T ^ i/ien Choicer [> r. 
('rfj Eqti ^2 ^ T ti ^ ^2- 

Proof. Follows easily from definitions and the Church-Rosser property. 

Lemma C.31. //<0 <S> T and for all n £N such that tn ^ T we have t{sn) 
T, then VNatt ^ T. 

Proof. Since sn m for n, m G N, m = n + 1, it follows by ordinary induction 
on natural numbers that in <^ T for all n E N. Now it is easy to see by inspecting 
the definitions that VNati => T. 

The lemma below is needed later to show = _L and [T] = T, where 
T, ± at the left sides of the equations are terms of the syntax of X'^, and T, ± 
at the right sides are constant semantic terms. Recall that T and ±, used as 
terms of the syntax of I'^, are abbreviations, respectively for VProp Xx.x and for 

V (Subtype Prop Aa;.(VProp Ax. a;)) Ax. (VProp Aa;.a;). These are distinct from T 
and _L used as semantic terms, and also from the semantic terms VProp Ax. x and 

V (Subtype Prop Ax. _L) Ax._L used in the lemma below. For instance, VProp Ax. x 
below stands for a semantic term, i.e. a certain Z'-tree, which is formally different 
from the term of the syntax of denoted by the same symbol. As already 
mentioned, in this section we work with semantic terms unless otherwise stated. 

Lemma C.32. We have VProp Ax. x _L, and V (Subtype Prop Ax. ±) Ax._L =J> 
T. 

Proof. The fact that VProp Ax . x =► ± follows easily by inspecting the definition 
of R. It is also easy to see that Subtype Prop Ax . _L ^ 0, and by definition of R 
we have V 0Ax . _L — > T. 

From now on, to avoid confusion, we use r, ri, r2, etc. to denote terms of I^, 
and t, ti, t2, etc. to denote semantic terms. 
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Definition C.33. We define an I^-structure M ~ (A, •,[]) as follows. As A 
we take the set of equivalence classes of <S> on semantic terms. We denote the 
equivalence class of a semantic term t by [t]. We define [ti] ■ [ti] = [tit2]- This is 
well-defined because ti <S> t[ and t2 t'^ imply t\t2 O t'\t'2- To save on notation, 
we sometimes confuse [t] with t, where it does not lead to ambiguities. 

Let : F — > A be an A^-valuation. We define a function u from Y to 
semantic terms by u(x) = t where t is an arbitrary but fixed semantic term such 
that [t] = v{x). By u[x/t] we denote a function w from V to semantic terms 
such that w{y) — u{y) for y x, and ^(a;) = t. By induction on the structure of 
an I^-term r, we define a translation from terms of to semantic terms, 
parametrized by a function u from V to semantic terms: 

- ps| = Is, TSubtypel = Subtype, pun| = Fun, ^V^ = V, m = V, = 

= Choice, pq| = Eq, ^Cond| = Cond, pype| = Type, ^Prop| = 
Prop, pat| = Nat, M = P, T^l = PI = 0, 

- WxY = "(2:) for x€V, 

- Wnr^r = WriT ■ Wr2r, 

- W\x . r]]" = Xy . [[r]]"[^/^l where x € V and y G is a fresh variable. 
Now the interpretation || is defined by 

where u is the function from V to semantic terms, corresponding to v, as defined 
above. 

Theorem C.34. The system X'^ is consistent, i.e. \fx' -L. 

Proof. Wc show that Ai is an Ij-model. We need to check the conditions in Def- 
inition |B]2l Conditions (var) and (app) follow directly from the definition of A4. 
For condition (/S) note that fXx . r]^ ■ [t] = [[[Ax . r]]"] • [t] = [{Xy . [[r]]"!^/?'!)^] = 
j^j,jju[a:/t]j _ where u is like in Definition IC.33I Condition (fv) is 

obvious from the definition of |][. For condition (^) suppose lAx.riJ^, • [t] = 
IXx . r2]|j, • [t] for every semantic term t. Then in particular this holds for any 
variable y £ V+ . We have [AccrJ^ • [t] = [(Ay . [[ri]]"!^/?'!)?/] = [[[nFl^'/^'l] 
and iXx.r2j^ ■ [t] = [(Ay . [[r2]l"[^/^l)y] = [[[?-2]|"['^/^l], where u is like in Defini- 
tion [C33l Hence [[[rifl^/^'l] = [[[rafl^^/^l]. But [Ax.ri]^ = [Ay . [[ri]]"!^/?'!] and 
[Ax.r2L = [Ay.^r2f'[-/«l]. 

Condition (pr) follows from Lemma rC.321 Condition (pt) follows directly from 
the definition of R. Conditions (Vt), (V_l), (Ve) and (Vg) follow from Lemma rC.271 
and Lemma [C.261 Conditions (Vi) and (V2) follow from Lemma [C.301 Condi- 
tions (~it) and (-i_l) follow easily from definitions and the Church- Rosser prop- 
erty. Conditions (— !>i) and (— >-e) follow from Lemma IC.28I and Lemma IC.261 
Condition (— follows from the definition of R and the Church- Rosser propery. 
Conditions (sl)-(s3) follow from Lemma FC. 291 and Lemma FC. 261 Condition (s4) 
follows easily from definitions and Lemma fC. 261 Conditions (0), (zl), (z2), (pO), 
(pi) and (n2) follow by the fact that Nat is isomorphic to the set of natural 
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numbers with s as successor, p as predecessor, as zero and o as a test for zero. 
Condition (pO) follows from Lemma [0.311 Conditions (e) and (eq) follow from 
Lemma rC.301 Conditions (cl) and (c2) are obvious from the definition of R and 
the Church- Rosser property. 

Now suppose hx' J- where _L is a term of I[. such that _L = Vp : Prop . p. 
Then by Theorem IB.4I we have A4 ^ Vp : Prop . p, so [[V Prop Xp .pj — [T] . 
We have |VPropAp.p] = [[[VProp Ap = [V Prop Aa; . a;] where x S V^+. By 
Lemma IC.321 we have V Prop Ax . a; => _L. Thus T <S> ±, but this is impossible by 
the Church- Rosser property of 

Appendix D Complete translation of first-order logic 

In this appendix we show that I[. is conservative over classical first-order in the 
following sense. We define a translation [— ] from the language of first-order logic 
to terms of Ig and show that 



where r{—) is a function from sets of first-order formulas to terms of providing 
necessary context, A,(p is a. shorthand for Alj{(p}, and \A\ stands for the image 
of A under [— ] . 

The method of the proof is essentially the same as in [Ij , and it is a relatively 
simple application of the construction from the previous appendix. 

First, let us state the definition of the system FO of classical first-order logic. 

Definition D.l. A first-order signature Z'po consists of function and relation 
symbols with associated arity. First-order terms and formulas over the signa- 
ture Sfo are defined in the standard way. We assume the only logical symbols 
are V, D and _L. Other logical symbols are defined from these in the usual way. 
Natural deduction inference rules are also standard. We present them below. By 
t, ti, ^2, etc. we denote first-order terms, by ip, ip, etc. first-order formulas, and 
by A, A', etc. sets of first-order formulas. We use A, 1^9 for Z\ U {(p}. 

Axioms 

- A\- (p\/ ^ip 
Rules 



Z\hFo V iff r{A,ip), [Z\] hi^ [(^1 



Ah<p 



X i FV{A) 



AV\lx .ip 



A\-\lx.ip 



A h 'f\xlt\ 



FO. 



Z\, V? h V' 



FO. 



Z\ h D -0 



Z\ h Iy9 D 
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A first-order structure ^ is a pair (A, /i, ...,/„, ri, ... , r„) where A is the 
(non-empty) universe and fi and are interpretations of function and relation 
symbols from Spo- A first-order valuation u is a function from variables to 
the universe of a first-order structure. We define the relations of satisfaction 
-4 |=FO V S'lid semantic consequence A \=fo V an obvious way. 

The following is a well-known result from elementary logic. 

Theorem D.2. A hpo 'P iff A \=fo 'P 

In this section we use s, si, S2, etc. for terms of I'g. We assume that first- 
order variables are present in the set of variables of 1'^, and also that all function 

and relation symbols from Spo arc present as constants in Wc also assiime 
that there is a fresh constant i in I^. This constant will represent the first-order 
universe. 

Definition D.3. The translation [— ] from first-order language to terms of I'^ 
is defined as follows: 

— [x] = x for a variable x. 

— \f{ti, . . . , tn)~\ = f\ti~\ ■ . ■ \tn \ for an n-ary function symbol / G Spo (possi- 
bly n = 0), 

— \r{ti, . . . , tn)] = '>'\ti'\ . . . \tn] for an n-ary relation symbol r € Sfo, 

— \yx.(p] =\/l\x. [(^1. 

For a set of first-order formulas A, by \A\ we denote the image of [— ] on A. 

The context-providing mapping F from sets of first-order formulas to terms 
of I'g is defined as follows: 

— 1st Type &r{A), 

— Is e F{A) if / e Z'fo is an n-ary function symbol and i occurs n 
times in the exponent, 

— Is r Prop'-'' "''-' e F{A) if r G Z'fo is an n-ary relation symbol and l occurs n 
times in the exponent, 

— Is j/t t e F{Ai) for a fresh variable not occuring in A, 

— Isxt G r(zi) for X G FV{A). 

In the above by t('' - '') and Prop'-'' "''-' we mean terms ,si and of T'^ com- 
posed of Fun and the constants i and Prop, corresponding in the obvious way 
to these types. 

Lemma D.4. (i) Fy([^]) = FV{<f) U {yj. 
(ii) If AC A' then r{A) C r{A'). 
(Hi) IfFV{t) C FV{A) then F{A) hx' [^1 : i. 
(tv) \^Mx/\t]]^\^[x/t]]. 
(v) r{A,ip) r<^l :Prop. 
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Proof. Claims {i) and (m) are obvious from definitions. Claims {iii)-{v) follow 
by straightforward induction on the structure of t or ip. 

Lemma D.5. Ifr{A),x ; t hj- [^] and x ^ FV{A,Lp) then r{A) hi- \lp\. 

Proof. Since x ^ FV(r, tp), we have x ^ FV{r(A), \lp\). By LemmaOwe thus 
obtain r{A),y, : l hj. \ipl But : t e r{A), so r(Z\) hi- [^]. 

Theorem D.6. //Zi hpo ^ then r{A,ip), [A] hj, {ip]. 

Proof. Induction on the length of derivation. 

Suppose A hpo Vx .If is a direct consequence of A hpo 'P and x ^ FV{A). 
Then by the inductive hypothesis r{A,(p), hj/ [(^]. We have /^(ZijC^c) = 
r{A,yx .ip) U {x : l} and a; ^ Fy(r(zi, Va; . .^)). thus r(zi, Vx . .^), x : l hj/ 
[(/?] and r(Z\,Vx.(^), [A] hi^ t : Type. We conclude by rule Vi of I'^ that 
-r(Zi, \/x .ip), [A] hj/ \fx : L . \(p'] . But \/x : L. \ip~\ =\/ lXx . \ip~\ = \Wx . (p'\ . 

Suppose A hpo ^fii^/t] is a direct consequence of Z\ hpo Vx . yj. By the induc- 
tive hypothesis r{A,Wx.ip), \A'] hj- Va; : t.\'^']. If x ^ FV{(p) then r(Z\, Va;.(y5) = 
A{A,ip[x/t\) and (/'[^^/^l = v[2^/2/t] = P where j/t is the variable from the defini- 
tion of r{-) such that : t G r{A,(p). Thus r(Z\, (/3[a;/t]), hi- (/^[x/?/,] and 
r(Z\, \A'] hi- Vx : t . [93] . By rule Ve of we have r{A, ip[x/t]), \a\ hi- 

[(/?] [x/i/t], and [((f][x/yt] — \(p[x/t]~\. If a; G FV{ip) then r{A,Vx . (p) is a sub- 
set of r{A,ip[x/t]) and r(zl, .^[x/t]) hj/ [t] : t by Lemma ID^ By weak- 
ening r(Z\, ^[x/t]), [Z\] hi- Vx : L-lip] and r{A,(p[x/t]),\A'] hj, [t] : 
Therefore by rule Ve of we obtain r{A,p[x/t]), [A] hj, {ip^lxj \t]]. But 
[(/?][x/[t]] = [(^[x/i]] by Lemma [El 

Suppose A hpo D is a direct consequence of A, (p hpo "0- By the 
inductive hypothesis r{A,(p,ip),\A'],\(p'] hi' [-0]. By Lemma lD.41 we have 
r(Z\,v?», [Z\] hi' \ip] : Prop. By rule of we have r{A,ip,4>), hi- 

M D M. But M 3 rV'l = T'^D Vl- 

Finally, suppose A hpo is a direct consequence of A hpo ^ ^ and 
Z\ hpo </'• This is the most interesting case, because by the inductive hypothesis 
r(Z\,(^, V), hi^ lip-] D [01 and r(Z\,^), rz\l hi^ [ip-], and by rule De in I', 
we may only infer r{A, (p, ip), [Z\] hi^ [0] . Note that if s G r(Z\, -0) \ r{A, -0) 
then s = X : t where x G and x ^ Ft/(Z\,-0). But then by Lemma FD. 5 1 

we have r(Z\,0), [Z\] hi^ [0]. 

Theorem D.7. If r{A,p), [A] hi/ [ip'] then A hpo ip- 

Proof. Suppose r{A,^p), hi^ \ip'] but Z\ l/po V?- Then Z\ ^po 'p, so there 
exist a first-order structure A and a first-order valuation u such that A, u |=po 
but A, u ^po 

We use the construction of Definition IC.33I to transform A into an Z^-mo- 
del M by taking the set of constants 6 of to consist of the elements of the 
universe of A. We also need to extend the definition of the translation [[— ]] from 
Definition IC.33I to interpret the new constants that we added to the language 
of I^. We set = t. If / is an n-ary function symbol then let c/ G be 
such that F{cf){ai){a2) ■ . ■ (a„) — /(ai, . . . ,a„) for any ai, . . . ,a„ G l. We set 
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\lf~W — Cf. Similarly, if r is an n-ary relation symbol then let G Prop^'' "''^ be 
such that for all ai, . . . ,a„ € t we have T{cr){ai){a2) ■ ■ ■ = T iff ^ |=fo 
r(ai, . . . , an). 

Note that in A4 we have l ^ {a ^ M |Is-a-t=: T}. This follows directly 
from Lemma IC. 261 and the fact that for a E l we have a ^ rj, and hence if t [> a 
then t <k> a. Note also that any first-order ^-valuation v is also an A^-valuation, 
if for a variable x we interpret v{x) as an element of the set t in A^. 

Now it is easy to show by induction on the structure of a first-order term t 
that = [i]^ G t for any first order- valuation v. Using this we verify by 

straightforward induction on the structure of a first-order formula ip that for 
any first-order valuation v we have If'/'llj^ = T iff ^, w ^ (p, and [[v?]]^ = -L 
iff w ^ ip. For instance, suppose tp = \/x.ip. Then \ip'] = Vx : t . [ipl- Since 
II : Typeir = T, and a e ^ iff Is • a • i = T, we have [[^IC = T iff [[V'll;^./,] 
for every a £ ^ iff v[x/a\ \= for every a G A iS A,v \= \fx = ip, where 
we use the inductive hypothesis in the second equivalence. 

It is easy to check that M,u r{A,(p). Hence M,u \^x'^ r{A,(p), \A], 
because A,u \^fo ^- Since A,u ^po f, we also have M,u [(^s]. But by 
Theorem IB .41 and r{A,(p), [zi] hj' \lp~\ we have A4,u \=x' If] - Contradiction. 
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